Follow these steps to integrate Google Container Registry (GCR) with Lacework.
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Container Registry.
- Click + Create New.
- From the Registry Type drop-down, select the appropriate registry and click Next.
- Complete the required settings and click Save.
- Verify that assessments have started by viewing the table in Container > Vulnerability Assessments. After an image is assessed, Lacework reports its results in the table. Select the Last 24 hours option above the table to view the assessment results.
Google Container Registry (GCR) Settings
| Setting Name | Description |
| Registry Type | Specify the registry type selected from the drop-down, in this case, select Google Container Registry (GCR). |
| Name | Specify a unique name for the container registry in the Lacework Console. |
| Client ID | Specify a Client ID for the service account that has been granted the storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR). The storage.objectViewer role can be granted at the project level or the bucket level. If granting the storage.objectViewer role at the bucket level, you must grant the storage.objectViewer role to the default bucket called artifacts.<projectid>.appspot.com. In addition, the client must have access to the Google Container Registry API and billing must be enabled. |
| Private Key ID | Specify the Private Key ID for the service account that has granted storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR). |
| Client Email | Specify the Client email associated with the service account that has granted storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR). |
| Private Key | Specify the Private Key for the specified Private Key ID. |
| Registry Domain | From the drop-down, select one of the supported GCP regions: 1) grc.io 2) us.gcr.io 3) eu.gcr.io 4) asia.gcr.io For more information, see Container Registry Pushing and pulling images. NOTE: Do not prefix the URL with https://. |
| Limit by Tag (optional) | If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext, *mytext, mytext*, or mytext. Only one * wildcard is supported. |
| Limit by Label (optional) | If you do not want to assess all images in this registry, specify text from an image label so that only images with matching label text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as AND. Supported field input: <text>*<text>, *<text>, <text>*, <text>. Up to one * can be used. |
| Limit by Repository (optional) | If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. |
| Limit Number of Images per Repo | Select the maximum number of newest container images to discover/assess per repository. |