After you have successfully installed Tanzu Mission Control Self-Managed, copy the Tanzu Standard package repository images and the third-party Sonobouy inspection scan images to your private image registry.
The Tanzu Standard package repository images and the Sonobouy inspection scan images are not required for using and operating TMC Self-Managed. However, they are required for the following capabilities:
To use the catalog features of Tanzu Mission Control, you must have a local copy of the images in your private image registry. Use the imgpkg
tool from Carvel to copy the Tanzu Standard package repository with the tag v2.2.0_update.2 into your private image registry.
The command looks something like this:
imgpkg copy --registry-ca-cert-path=ca.crt \
-b ${TKG_IMAGE_REGISTRY}/tkg/packages/standard/repo:v2.2.0_update.2\
--to-repo ${PRIVATE_IMAGE_REGISTRY}/${TMC_PROJECT}/498533941640.dkr.ecr.us-west-2.amazonaws.com/packages/standard/repo
In the command:
--registry-ca-cert-path=ca.crt
is the private image registry certificate you require to upload the image bundle. Replace ca.crt
with the name of your certificate file. This is optional if the bootstrap machine has the ca.crt
already in its local trust store.TKG_IMAGE_REGISTRY
identifies the public VMware registry endpoint, projects.registry.vmware.com
.PRIVATE_IMAGE_REGISTRY/TMC_PROJECT
identifies your private image registry and the project you used for installing Tanzu Mission Control Self-Managed.498533941640.dkr.ecr.us-west-2.amazonaws.com
is the hard-coded repository name. It must be entered as shown.IMGPKG_REGISTRY_HOSTNAME_0
IMGPKG_REGISTRY_USERNAME_0
IMGPKG_REGISTRY_PASSWORD_0
The Conformance and Lite inspection types use third-party images to run the scans. The third-party images are not included as part of the installation package for Tanzu Mission Control Self-Managed. You must copy the third-party images to your private image registry to run the scans successfully. The Conformance and Lite inspection types not required for CIS inspections.
Use the bash script provided in Script to copy inspection images to make the images available from your private image registry.
Optionally, you can use the following environment variables:
LATEST_RELEASE
can be found at https://github.com/vmware-tanzu/sonobuoy/releasesVERSION
is derived from the tagged version on https://github.com/vmware-tanzu/sonobuoy/releasesCUSTOM_REGISTRY
identifies your private registryDOCKER_PROXY
identifies your docker proxy, if you are using oneThe bash script covers the latest patches for each major release from Kubernetes version 1.19 to 1.24. To use the bash script, copy the images into the provided container registry:
Copy the contents provided in Script to copy inspection images into a file called install_images.sh
.
Make sure the file is runnable.
chmod +x install_images.sh
Run the script.
./install_images.sh
Because some images require authentication, you will see errors while pushing those images. You can ignore the errors. Those images are not used as part of Conformance inspections. For more information about the errors and the sonobuoy
commands used in this script, see the Sonobuoy documentation at https://sonobuoy.io/docs/v0.56.12/airgap/#sonobuoy-image.
The following is a list of inspection images required to perform Conformance and Lite scans on clusters running Kubernetes version 1.23 and later versions.
docker.io/alpine/socat:1.7.4.3-r0
gcr.io/authenticated-image-pulling/alpine:3.7
gcr.io/authenticated-image-pulling/windows-nanoserver:v1
gcr.io/k8s-authenticated-test/agnhost:2.6
invalid.registry.k8s.io/invalid/alpine:3.1
mcr.microsoft.com/windows:1809
registry.k8s.io/build-image/distroless-iptables:v0.2.3
registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver:v1.2.2
registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver:v1.4.0
registry.k8s.io/conformance:v1.27.1
registry.k8s.io/e2e-test-images/agnhost:2.43
registry.k8s.io/e2e-test-images/apparmor-loader:1.4
registry.k8s.io/e2e-test-images/busybox:1.29-2
registry.k8s.io/e2e-test-images/busybox:1.29-4
registry.k8s.io/e2e-test-images/cuda-vector-add:1.0
registry.k8s.io/e2e-test-images/cuda-vector-add:2.2
registry.k8s.io/e2e-test-images/glusterdynamic-provisioner:v1.3
registry.k8s.io/e2e-test-images/httpd:2.4.38-4
registry.k8s.io/e2e-test-images/httpd:2.4.39-4
registry.k8s.io/e2e-test-images/ipc-utils:1.3
registry.k8s.io/e2e-test-images/jessie-dnsutils:1.7
registry.k8s.io/e2e-test-images/kitten:1.7
registry.k8s.io/e2e-test-images/nautilus:1.7
registry.k8s.io/e2e-test-images/nginx:1.14-4
registry.k8s.io/e2e-test-images/nginx:1.15-4
registry.k8s.io/e2e-test-images/node-perf/npb-ep:1.2
registry.k8s.io/e2e-test-images/node-perf/npb-is:1.2
registry.k8s.io/e2e-test-images/node-perf/tf-wide-deep:1.3
registry.k8s.io/e2e-test-images/nonewprivs:1.3
registry.k8s.io/e2e-test-images/nonroot:1.4
registry.k8s.io/e2e-test-images/perl:5.26
registry.k8s.io/e2e-test-images/redis:5.0.5-3
registry.k8s.io/e2e-test-images/regression-issue-74839:1.2
registry.k8s.io/e2e-test-images/resource-consumer:1.13
registry.k8s.io/e2e-test-images/sample-apiserver:1.17.7
registry.k8s.io/e2e-test-images/volume/gluster:1.3
registry.k8s.io/e2e-test-images/volume/iscsi:2.3
registry.k8s.io/e2e-test-images/volume/nfs:1.3
registry.k8s.io/e2e-test-images/volume/rbd:1.0.4
registry.k8s.io/etcd:3.5.7-0
registry.k8s.io/pause:3.9
registry.k8s.io/prometheus-dummy-exporter:v0.1.0
registry.k8s.io/prometheus-to-sd:v0.5.0
registry.k8s.io/sd-dummy-exporter:v0.2.0
registry.k8s.io/sig-storage/csi-attacher:v4.0.0
registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.7.0
registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1
registry.k8s.io/sig-storage/csi-provisioner:v3.4.0
registry.k8s.io/sig-storage/csi-resizer:v1.6.0
registry.k8s.io/sig-storage/csi-snapshotter:v5.0.1
registry.k8s.io/sig-storage/csi-snapshotter:v6.1.0
registry.k8s.io/sig-storage/hello-populator:v1.0.1
registry.k8s.io/sig-storage/hostpathplugin:v1.11.0
registry.k8s.io/sig-storage/hostpathplugin:v1.9.0
registry.k8s.io/sig-storage/livenessprobe:v2.7.0
registry.k8s.io/sig-storage/nfs-provisioner:v3.0.1
registry.k8s.io/sig-storage/volume-data-source-validator:v1.0.0
sonobuoy/sonobuoy:v0.56.16
sonobuoy/systemd-logs:v0.4
Use the following script to copy the lates inspection images.
#!/bin/bash
VERSION=${1:-"v0.56.16"}
LATEST_RELEASE=${2:-"sonobuoy_0.56.16_linux_amd64.tar.gz"}
CUSTOM_REGISTRY=${3:-"harbor.tanzu.io:8443"}
DOCKER_PROXY=${4:-"harbor.tanzu.io:8443/dockerhub-proxy-cache"} # optional argument
CUSTOM_TMC_REPO="${CUSTOM_REGISTRY}/tmc/498533941640.dkr.ecr.us-west-2.amazonaws.com"
# https://kubernetes.io/releases/patch-releases/
k8s_versions=(v1.27.1)
wget "https://github.com/vmware-tanzu/sonobuoy/releases/download/${VERSION}/${LATEST_RELEASE}"
tar -xvf ${LATEST_RELEASE}
for i in "${k8s_versions[@]}"
do
echo "================CHECKING K8S: $i======================="
./sonobuoy images list --kubernetes-version $i > images_$i.txt
while read image
do
echo "================CHECKING IMAGE: $image=================="
base=$(basename "$image")
output=${image#*/*}
if [[ $image == *"docker"* && -n $DOCKER_PROXY ]];
then
docker pull $DOCKER_PROXY/$output
docker tag $DOCKER_PROXY/$output ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
else
docker pull $image
docker tag $image ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
fi
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
echo "===================PUSHING: ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base ==========="
done < images_$i.txt
done
# not part of sonobuoy image list, install manually, update these as images are found
docker pull k8s.gcr.io/e2e-test-images/agnhost:2.31
docker pull k8s.gcr.io/pause:3.9
docker pull registry.k8s.io/e2e-test-images/volume/gluster:1.3
docker pull registry.k8s.io/e2e-test-images/volume/nfs:1.3
docker tag registry.k8s.io/e2e-test-images/volume/gluster:1.3 ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/gluster:1.3
docker tag registry.k8s.io/e2e-test-images/volume/nfs:1.3 ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/nfs:1.3
docker tag k8s.gcr.io/e2e-test-images/agnhost:2.31 ${CUSTOM_TMC_REPO}/extensions/inspection-images/agnhost:2.31
docker tag k8s.gcr.io/pause:3.9 ${CUSTOM_TMC_REPO}/extensions/inspection-images/pause:3.9
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/agnhost:2.31
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/pause:3.9
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/gluster:1.3
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/nfs:1.3
# clean up text files and sonobuoy tar
rm images_*
rm sonobuoy_*