Harbor integration fails when deployment security is enabled

[lbg-raghu-vennam]

This is linked to the issue opened at goharbor/harbor#11574 where we are seeing the same behaviour with interrogation services configured with Aqua are also failing to pull the images to scan.

Is there any specific configuration to be used to the deployment to be still able to pull the images for scanning?

[danielpacak]

This is linked to the issue opened at goharbor/harbor#11574 where we are seeing the same behaviour with interrogation services configured with Aqua are also failing to pull the images to scan.

Is there any specific configuration to be used to the deployment to be still able to pull the images for scanning?

Hi @rvennam-lbg . Thank you for filing the issue. As you pointed out this is related to robot account permissions and the scannercli binary ignoring the robot account credentials.

I'm working also with the product team at Aqua to pass the robot account credentials from authorization property of a scan request down to the Aqua CSP scanner.

scannercli \
  ... \
  --registry-username=$ROBOT_ACCOUNT_NAME
  --registry-password=$ROBOT_ACCOUNT_PASSWORD

As of today, the only solution to that is, unfortunately, disabling deployment security in Harbor.

[honeybajaj]

Thanks @danielpacak, can you kindly suggest if any help is required to expedite implementation, as we have a key requirement on this feature within our container workflow.

[danielpacak]

Thanks @danielpacak, can you kindly suggest if any help is required to expedite implementation, as we have a key requirement on this feature within our container workflow.

@honeybajaj There're two parts of it:

1. Allow scannercli to accept robot account credentials generated by Harbor - we're going to work on that very soon and delivery ASAP
2. Contribute to Harbor spec described in Enable external security scanners by adding the scanner-pull permission to a robot account goharbor/harbor#11574 and find the best UI / API experience to generate robot account with extended scope for such integration as external vulnerability scanners. Any feedback from the ops / end users stand point would be invaluable to ship it faster

[honeybajaj]

@danielpacak One more feature request or it might automatically get enabled is integration with acknowledge feature on Aqua. So, if an admin or security engineer acknowledge a vulnerability for an image in Aqua, will Harbor understands that and allow an image to run.
Example being an image with 1 high vulnerability which gets acknowledge on Aqua, will Harbor deployment security - prevent vulnerable image severity set to High, will allow it pull/push.

[danielpacak]

@danielpacak One more feature request or it might automatically get enabled is integration with acknowledge feature on Aqua. So, if an admin or security engineer acknowledge a vulnerability for an image in Aqua, will Harbor understands that and allow an image to run.
Example being an image with 1 high vulnerability which gets acknowledge on Aqua, will Harbor deployment security - prevent vulnerable image severity set to High, will allow it pull/push.

Yes. That's a great feedback @honeybajaj We'll take that into account and follow up.

[honeybajaj]

@danielpacak Do you have a view on when this feature will become available for consumption/testing. Thanks for all your help.

[danielpacak]

@danielpacak Do you have a view on when this feature will become available for consumption/testing. Thanks for all your help.

@honeybajaj We have a PR ready with the fix in the adapter service waiting for review #50 - I believe we can merge it soon.

However, in order to test it with Harbor we have to wait for the Aqua release train. I will let you know as soon as I get possible release date from the product team. They're heads down adding new flags to scannercli, i.e. --registry-username and --registry-password to override registry credentials set in Aqua management console.

[danielpacak]

@honeybajaj I've tested the code with a dev build version of Aqua CSP. Everything works as expected. I'll close this issue shortly once we have the official release and exact version number.

[danielpacak]

@honeybajaj @rvennam-lbg If this adapter service is used with Aqua version >= 4.6.20181 (4.6 update 16), it can bypass Harbor's deployment security proxy. For more details consult https://github.com/aquasecurity/harbor-scanner-aqua#error-failed-getting-image-manifest-412-precondition-failed