Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3152

CSO: add ability to use global pull secrets

    XMLWordPrintable

Details

    • False
    • False
    • 0
    • 0% 0%
    • 0

    Description

      Currently, CSO checks the pod spec for any pull secrets and uses those credentials when connecting to the secscan API endpoint:

      https://github.com/quay/container-security-operator/blob/44a4493ddf0fe9adea82906adf6be073f02e61fb/labeller/labeller.go#L371

      However, OpenShift allows global pull secrets to be defined as well:

      https://docs.openshift.com/container-platform/4.9/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets

      It would be great if we could implement a feature that would allow CSO to use a global pull secret in addition to checking individual pod specs for one. This will allow pods that do not have a pull secret explicitly defined and are in fact relying on the global, cluster pull secret to be scanned by CSO.

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-1603 Container-security-operator does not take pull secrets of OpenShift into account

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: