Authenticate to private container registries
If you are using private container registries, you must create a dockercfg.json
file that contains the credentials to the registry. Then you must create a secret, which must be called snyk-monitor
.
The dockercfg.json
file is necessary to allow the monitor to look up images in private registries. Usually, your credentials are in $HOME/.docker/config.json
. However, the credentials must also be added to the dockercfg.json
file. The Snyk Controller is not able to access these registries if the credentials are only stored in $HOME/.docker/config.json
The steps below explain how to authenticate to private container registries.
Configure the dockercfg.json file
Create a file named dockercfg.json
. Store your credentials in this file.
Ensure the file containing your credentials is named dockercfg.json
. This filename is required by the snyk-monitor
.
Ensure the formatting is correct, including new line characters and whitespace in the dockercfg.json
file. Malformed files will result in authentication failures.
The locations where your cluster runs and where your registries run determine the combination of entries in your dockercfg.json
file. The file can contain credentials for multiple registries.
If your credentials are already in $HOME/.docker/config.json
, copy this information to the dockercfg.json
file.
If the auth
entry is empty in the $HOME/.docker/config.json
, run the following command and paste the output to auth
entry in dockercfg.json
:
Examples of dockercfg.json file configuration
For private registries other than Nexus
If your cluster does not run on GKE
, or it runs on GKE
and pulls images from other private registries, yourdockercfg.json
file must contain:
For Nexus Repository
If you are using Nexus Repository**,** your dockercfg.json
file must contain:
For Artifactory Container Registry
If you are using Artifactory Container Registry to host multiple private repositories**,** your dockercfg.json
file must contain:
For GKE using GCR
If your cluster runs on GKE
and you are using GCR
, yourdockercfg.json
file must contain:
For GKE using Google Artifact Registry (GAR)
If your cluster runs on GKE
and you are using GAR
, yourdockercfg.json
file must contain:
The “auth”
line is generated with the following command, where the username is json_key_base64 and the password is the entire contents of the base64 json keyfile.
For example, the output of this command is used in the “auth”
line of the dockercfg.json
For EKS using ECR
If your cluster runs on EKS
and you are using ECR
, add the following:
To use this credential helper for a specific ECR
registry, create a credHelpers section with the URI of your ECR registry:
For AKS using ACR
If your cluster runs on AKS
and you're using ACR
, add the following:
You can configure different credential helpers for different registries.
Create the Kubernetes secret
Create the secret in Kubernetes by running the following command:
Last updated