Docker discoveries
The Docker discoveries let you list the set of Docker images available from a registry, or pulled into an existing Docker deployment. The discovered Docker images can then be added to Cyberwatch with a grouped action for scanning.
Kubernetes via kubeconfig
Prerequisites
Kubernetes via kubeconfig discoveries need:
- the kubeconfig file of the clusters to scan, whose Microsoft Entra authentication is delegated to
kubelogin- on each cluster to scan, the right to list pods (Azure Kubernetes Service RBAC Reader role)
- the prerequisites specific to the chosen authentication mode, detailed in the corresponding section below
The Kubernetes via kubeconfig discovery scans the Kubernetes clusters described in a kubeconfig file in order to list all the Docker images deployed on them. The authentication modes currently supported target AKS clusters authenticated through Microsoft Entra.
This discovery complements the AKS discovery: it is aimed in particular at clusters whose Microsoft Entra audience is customized (a server-id specific to your application registration, instead of the default AKS audience), which the standard AKS discovery cannot reach. Since the server-id is read directly from the kubeconfig file, this discovery works whatever audience is configured on the cluster.
The discovery requires a Kubeconfig file credential, which you can create from the Stored credentials menu. Simply paste the content of your kubeconfig file (which must contain the clusters, contexts and users sections), then choose the Authentication mode matching the method declared in the kubeconfig file to authenticate to your clusters.
Cyberwatch iterates over all the contexts defined in the kubeconfig file and scans each cluster it manages to authenticate to. A context that matches another authentication mode or another credential than the configured one is skipped, without interrupting the scan of the other contexts.
Kubeconfig files generated for AKS delegate authentication to the kubelogin binary. Cyberwatch does not run this binary: it reads the authentication mode and its parameters (notably the server-id) directly from the file, then obtains the token from Microsoft Entra. No kubelogin installation is therefore required on the Cyberwatch side.
AKS — Service Principal
Prerequisites
- a Microsoft Azure credential of service principal type, created as for the Azure discoveries, whose application (client) ID and tenant ID match those declared in the kubeconfig file
This mode suits kubeconfig files whose user authenticates through a service principal (Service Principal), that is, whose kubelogin command is of the form ... --login spn. The cluster access token is obtained from this credential, which acts as the parent credential of the kubeconfig file. Such a file is obtained as follows:
az aks get-credentials --resource-group <resource-group> --name <cluster-name>
kubelogin convert-kubeconfig -l spn
When creating the Kubeconfig file credential, choose the AKS — Service Principal mode, then select the Microsoft Azure credential in the Azure credential field.
AKS — Workload Identity
Prerequisites
- a Cyberwatch installation hosted on an AKS cluster and configured with workload identity, by following Configure Azure Workload Identity on AKS
This mode suits kubeconfig files whose user authenticates through Microsoft Entra Workload Identity, that is, whose kubelogin command is of the form ... --login workloadidentity. No secret or parent credential is needed: Cyberwatch authenticates using the federated identity of its own pods. Such a file is obtained as follows:
az aks get-credentials --resource-group <resource-group> --name <cluster-name>
kubelogin convert-kubeconfig -l workloadidentity
When creating the Kubeconfig file credential, choose the AKS — Workload Identity mode. No parent credential is required: the authentication parameters are derived from the pod environment.
If the Cyberwatch deployment is not configured with workload identity, this mode cannot be used: the affected contexts are skipped and reported as such in the discovery output.
Create the discovery
Once the credential is ready, you can create the discovery from the Discoveries menu, by clicking the Add button then Kubernetes via kubeconfig in the Docker images category.
Add the discovered Docker images
From the discovery assets list, you may see and filter the Docker images without any associated assets. To add them to Cyberwatch, pick the images you wish to scan and click Bulk actions > Scan as Docker images.
Newly discovered Docker images can be automatically added to Cyberwatch by enabling automatic registration from the discovery edition form.
The registry is automatically selected based on the name of the discovered image. For instance, the image example.com/library/hello would automatically use the registry example.com, provided it has been added as a stored credential. New registries are automatically added as stored credentials, and you can manually edit them if they require authentication. You may in certain contexts select a preferred registry, but it will only be selected when the registry in the name of the discovered image matches the entry point of the registry.