Goal Summary

Central will directly use its configured OpenShift ImageTagMirrorSet/ImageDigestMirrorSet (ITMS/IDMS) registry credentials to pull and scan images. This eliminates the need for duplicate scanner deployments (like Delegated Scanning) in environments where all clusters share the same mirrored image registry configurations and access.

Goals and Expected User Outcomes

The primary observable functionality is that Central successfully pulls and scans images from registries defined in its local OpenShift ImageTagMirrorSet and ImageDigestMirrorSet configurations using its existing registry credentials.

• Primary User Type/Persona: Platform Administrators and Security Administrators managing large-scale OpenShift environments ($\approx 150+$ clusters) with a shared registry mirroring setup.

• Expanded Existing Features: Enhances Central's Image Scanning capabilities by leveraging the existing OpenShift Registry Credential Management (ITMS/IDMS) for direct image fetching.

• Anticipated User Outcome: Users benefit from simpler configuration, lower infrastructure cost (by avoiding numerous delegated scanner deployments), and consistent scan results across the fleet.

Acceptance Criteria

• Functional: Central successfully pulls and scans images from registries defined in ITMS/IDMS using the OpenShift registry credentials configured on the Central cluster.

• Works with Existing Configs: The feature must be compatible with both ImageTagMirrorSet and ImageDigestMirrorSet configurations.

• Performance: Image pull and scan times using the mirrored registries must be comparable to existing direct scanning methods.

• Reliability: Central automatically honors credential refreshing and rotation mechanisms provided by OpenShift without requiring manual user intervention.

• Usability: The feature is easily enabled or detected automatically when the relevant ITMS/IDMS configuration exists.

Success Criteria or KPIs Measured

• KPI: Reduction in the number of Delegated Scanner deployments in applicable large-scale environments (Target: zero delegated scanners required).

• Metric: Percentage of customers utilizing this simplified direct scanning method over Delegated Scanning.

• Metric: Significant reduction in setup time for image scanning in large environments (Target: >90% reduction in setup steps compared to per-cluster Delegated Scanning).

• Metric: Increased Image Scan Coverage across the fleet due to the simplified setup.

Use Cases

Main Success Scenario

A Platform Administrator manages 200 OpenShift clusters that share the same corporate registry configuration via ITMS/IDMS. The Admin enables this feature on the Central cluster. Central successfully pulls and scans images for all clusters directly using its local credentials, providing comprehensive vulnerability data across the fleet without needing to deploy or maintain any Delegated Scanners.

Alternative Flow: Credential Failure

Central attempts to pull an image from a mirrored registry but the associated OpenShift registry credentials have expired or are incorrect. Central logs a clear, actionable error indicating a credential failure related to the specific mirrored registry configuration, allowing the Administrator to quickly diagnose and fix the issue within the OpenShift cluster's secret management.

Out of Scope (Optional)

• Support for non-OpenShift environments (e.g., vanilla Kubernetes without ITMS/IDMS).

• Automated configuration or setup of the ImageTagMirrorSet or ImageDigestMirrorSet on the Central cluster itself.
• Complex logic to determine which registries are shared across the entire fleet; this feature assumes Central can access all necessary registries via its local ITMS/IDMS configuration.