Docker discoveries
The Docker discoveries let you list the set of Docker images available from a registry, or pulled into an existing Docker deployment. The discovered Docker images can then be added to Cyberwatch with a grouped action for scanning.
Oracle Cloud OKE
Prerequisites
Oracle Cloud OKE discoveries need:
a user belonging to a group (named for example Compliance) with a policy allowing listing clusters and accessing each cluster’s kubeconfig:
Allow group Compliance to use cluster-family in tenancythe Kubernetes RBAC view role associated with the user’s group on each cluster via the following command:
kubectl create clusterrolebinding <binding_name> --clusterrole=view --group=<group_ocid>
An alternative (not recommended) to avoid having to associate the Kubernetes RBAC view role on each new cluster is to define the following policy for the group:
Allow group Compliance to manage cluster-family in tenancy
Indeed, this policy grants the equivalent of the Kubernetes RBAC cluster-admin role on all clusters.
Once the credential set is created from the menu, you can create the Oracle Cloud OKE discovery by going to Discoveries, then clicking Add and Oracle Cloud OKE in the Docker images category.
Add the discovered Docker images
From the discovery assets list, you may see and filter the Docker images without any associated assets. To add them to Cyberwatch, pick the images you wish to scan and click Bulk actions > Scan as Docker images.
Newly discovered Docker images can be automatically added to Cyberwatch by enabling automatic registration from the discovery edition form.
The registry is automatically selected based on the name of the discovered image. For instance, the image example.com/library/hello would automatically use the registry example.com, provided it has been added as a stored credential. New registries are automatically added as stored credentials, and you can manually edit them if they require authentication. You may in certain contexts select a preferred registry, but it will only be selected when the registry in the name of the discovered image matches the entry point of the registry.