By default, all images for the Operator and Agent deployments are pulled from Docker Hub. If you prefer to mirror the images in your internal repositories, you can specify the image by modifying the CBContainersAgent resource that you apply to your cluster.

Modify the following properties to specify the image for each service:

  • monitor - spec.components.basic.monitor.image
  • enforcer - spec.components.basic.enforcer.image
  • state-reporter - spec.components.basic.stateReporter.image
  • runtime-resolver - spec.components.runtimeProtection.resolver.image
  • runtime-sensor - spec.components.runtimeProtection.sensor.image
  • image-scanning-reporter - spec.components.clusterScanning.imageScanningReporter.image
  • cluster-scanner - spec.components.clusterScanning.clusterScanner.image

The image object consists of four properties:

  • repository - the repository of the image; for example, docker.io/my-org/monitor
  • tag - the version tag of the image; for example, 1.0.0, latest, and so forth.
  • pullPolicy - the pull policy for that image; for example, IfNotPresent, Always, or Never. See Image pull policy (external link).
  • pullSecrets - the image pull secrets that are going to be used to pull the container images. The secrets must already exist in the cluster. See Pull an Image from a Private Registry (external link).

Sample configuration:

spec:
  monitor:
    image:
      repository: docker.io/my-org/monitor
      tag: 1.0.0
      pullPolicy: Always
      pullSecrets:
        - my-pull-secret

In this case, the operator attempts to run the monitor service from the docker.io/my-org/monitor:1.0.0 container image and the kubelet is instruted to always pull the image by using the my-pull-secret secret.

Using a Shared Secret for all Images

To use just one pull secret to pull all the custom images, specify it under spec.settings.imagePullSecrets.

The secret is added to the imagePullSecrets list of all Agent workloads.