diff --git a/README.md b/README.md index fe10f298..ce2bbe6e 100644 --- a/README.md +++ b/README.md @@ -296,6 +296,88 @@ Grype supplies shell completion through its CLI implementation ([cobra](https:// This will output a shell script to STDOUT, which can then be used as a completion script for Grype. Running one of the above commands with the `-h` or `--help` flags will provide instructions on how to do that for your chosen shell. +## Private Registry Authentication + +### Local Docker Credentials +When a container runtime is not present, grype can still utilize credentials configured in common credential sources (such as `~/.docker/config.json`). +It will pull images from private registries using these credentials. The config file is where your credentials are stored when authenticating with private registries via some command like `docker login`. +For more information see the `go-containerregistry` [documentation](https://github.com/google/go-containerregistry/tree/main/pkg/authn). + + +An example `config.json` looks something like this: +``` +// config.json +{ + "auths": { + "registry.example.com": { + "username": "AzureDiamond", + "password": "hunter2" + } + } +} +``` + +You can run the following command as an example. It details the mount/environment configuration a container needs to access a private registry: + +`docker run -v ./config.json:/config/config.json -e "DOCKER_CONFIG=/config" anchore/grype:latest ` + + +### Docker Credentials in Kubernetes +The below section shows a simple workflow on how to mount this config file as a secret into a container on kubernetes. +1. Create a secret. The value of `config.json` is important. It refers to the specification detailed [here](https://github.com/google/go-containerregistry/tree/main/pkg/authn#the-config-file). +Below this section is the `secret.yaml` file that the pod configuration will consume as a volume. +The key `config.json` is important. It will end up being the name of the file when mounted into the pod. + ``` + # secret.yaml + + apiVersion: v1 + kind: Secret + metadata: + name: registry-config + namespace: grype + data: + config.json: + ``` + + `kubectl apply -f secret.yaml` + + +2. Create your pod running grype. The env `DOCKER_CONFIG` is important because it advertises where to look for the credential file. +In the below example, setting `DOCKER_CONFIG=/config` informs grype that credentials can be found at `/config/config.json`. +This is why we used `config.json` as the key for our secret. When mounted into containers the secrets' key is used as the filename. +The `volumeMounts` section mounts our secret to `/config`. The `volumes` section names our volume and leverages the secret we created in step one. + ``` + # pod.yaml + + apiVersion: v1 + kind: Pod + spec: + containers: + - image: anchore/grype:latest + name: grype-private-registry-demo + env: + - name: DOCKER_CONFIG + value: /config + volumeMounts: + - mountPath: /config + name: registry-config + readOnly: true + args: + - + volumes: + - name: registry-config + secret: + secretName: registry-config + ``` + + `kubectl apply -f pod.yaml` + + +3. The user can now run `kubectl logs grype-private-registry-demo`. The logs should show the grype analysis for the `` provided in the pod configuration. + +Using the above information, users should be able to configure private registry access without having to do so in the `grype` or `syft` configuration files. +They will also not be dependent on a docker daemon, (or some other runtime software) for registry configuration and access. + ## Configuration Configuration search paths: