This topic contains the following sections.
Container Registry Support
Google Container Registry (GCR) integrations support:
- Auto polling - polling occurs every 15 minutes
- On-demand scans via the API
Integrate GCR with Lacework
To integrate GCR with Lacework, follow these steps:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container Registries.
- Click + Create New.
- From the Registry Type drop-down, select the appropriate registry and click Next.
- Complete the required settings and click Save.
The integration status displays Integration Successful only after its first assessment completes. Verify that assessments have started by viewing the table in Vulnerability > Container.
After an image is assessed, Lacework reports its results in the table. Select the Last 24 hours option above the table to view the assessment results.
Settings
| Setting Name | Description |
|---|---|
| Registry Type | Specify the registry type selected from the drop-down, in this case, select Google Container Registry (GCR). |
| Name | Specify a unique name for the container registry in the Lacework Console. |
| Client ID | Specify a Client ID for the service account that has been granted the storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR). The storage.objectViewer role can be granted at the project level or the bucket level. If granting the storage.objectViewer role at the bucket level, you must grant the storage.objectViewer role to the default bucket called artifacts.YourProjectID.appspot.com. Additionally, the following must be enabled: Cloud Resource Manager API, Google Container Registry API (client requires access as well), and billing. |
| Private Key ID | Specify the Private Key ID for the service account that has granted storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR). |
| Client Email | Specify the Client email associated with the service account that has granted storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR). |
| Private Key | Specify the Private Key for the specified Private Key ID. You cannot just copy the private key from the editor because of an issue copying the new line characters. You must copy a raw version of the key using the “jq” utility as described in the next steps. 1) To view the private key raw text, enter the following command, where YourFileName.json is the name of the file downloaded when you created the GCP Service Account. $ cat YourFileName.json | jq -r '.private_key' 2) Copy all text displayed in the output including the BEGIN and END lines.  |
| Registry Domain | From the drop-down, select one of the supported GCP regions: 1) grc.io 2) us.gcr.io 3) eu.gcr.io 4) asia.gcr.io For more information, see Container Registry Pushing and pulling images. NOTE: Do not prefix the URL with https://. |
| Limit by Tag (optional) | If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext, *mytext, mytext, or mytext. Only one * wildcard is supported. |
| Limit by Label (optional) | If you do not want to assess all images in this registry, specify text from an image label so that only images with matching label text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as AND. Supported field input: mytext*mytext, *mytext, mytext, or mytext. Only one * wildcard is supported. |
| Limit by Repository (optional) | If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. |
| Limit Number of Images per Repo | Select the maximum number of newest container images to discover/assess per repository. |
Create Service Account and GCR Integration Using Terraform
For organizations using Terraform to manage their environments, Lacework maintains the Terraform Provider for Lacework, which enables integrating supported container registries with Lacework using automation.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
locals {
gcr_credentials = jsondecode(base64decode(module.lacework_gcr_svc_account.private_key))
}
provider "lacework" {}
provider "google" {}
# Create a service-account for integrating a GCR registry with Lacework
module "lacework_gcr_svc_account" {
source = "lacework/service-account/gcp"
version = "~> 0.1.4"
for_gcr = true
for_compliance = false
# Optionally, a project ID can be specified with the input 'project_id'
}
# Integrate a Google Container Registry (GCR) with Lacework
resource "lacework_integration_gcr" "example" {
name = "GRC Integration with Module"
registry_domain = "gcr.io"
credentials {
client_id = local.gcr_credentials.client_id
client_email = local.gcr_credentials.client_email
private_key_id = local.gcr_credentials.private_key_id
private_key = local.gcr_credentials.private_key
}
}
Additional information on the lacework_integration_gcr resource can be found on the Terraform Registry.