After completing the Prerequirements section of this workshop, an instance of AWS ECR named is running in your account.
It includes 3 example docker images: "mysql:5.7", "postgres:13", "redis:6
.
Now you’ll learn and practice how to automate scanning of images in your registry.
Sysdig Automated Registry Scanner is delivered as a Kubernetes CronJob. It requires a Kubernetes cluster to be hosted. Once installed it will trigger a full registry scan on a regular basis (once a week by default).
Install the Scanner Cron-Job via helm chart on the EKS cluster. Please, make sure that the EKS cluster has been created and Kubectl configured as indicated in the prerequisites section. And substitute the API Token and URL with your own credentials.
helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install registry-scanner \
--version=1 \
--set config.secureBaseURL=<YOUR-SYSDIG-REGION-URL> \
--set config.secureAPIToken=<YOUR-SYSDIG-TOKEN> \
--set config.registryURL=$(aws sts get-caller-identity | jq '.Account' | xargs).dkr.ecr.us-east-1.amazonaws.com \
--set config.registryType=ecr \
--set config.registryUser="" \
--set config.registryPassword="" \
--set scanOnStart.enabled=true \
--set config.filter.maxAgeDays=365 \
sysdig/registry-scanner
Check that the cron-job was properly installed with:
kubectl get cronjobs
Output should looks like this example:
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
registry-scanner 0 6 * * 6 False 0 <none> 2d1h
In the next section we will find out how to: