You can configure inspections for use with a local image registry in Tanzu Mission Control.

Tanzu Mission Control supports three types of inspection scans with local image registry:
  • CIS Scan
  • Lite Scan
  • Conformance Scan

Instructions for running the Conformance and Lite scans are given in the steps below. You can directly run the CIS scan using the CLI as shown here:

tmc cluster inspection scan create --cluster-name <cluster-name> --inspection-type
CIS --management-cluster-name <mc-name> --provisioner-name <provisioner-name>

The Lite and Conformance scans use third-party images to run the scans. These third-party images are not included as part of the Tanzu Mission Control distributed images. You must copy these images to run these scans. The list of the images needed for Kubernetes clusters versions 1.21 - 1.23 is included NEED EXTERNAL REFERENCE TO LIST.

There are two ways to copy these images to the registry: (1) manually push the images to the registry, or (2) install Sonabuoy and use it to push the images.

Prerequisites

Log in to the Tanzu Mission Control console.

Make sure you have the appropriate permissions to configure inspections.
  • To configure inspections you must be associated with the Tanzu Mission Control role cluster.admin role.

Procedure

  1. Use the image list here to manually tag and push the images to the custom registry. For example: 
    docker pull k8s.gcr.io/e2e-test-images/agnhost:2.36
docker tag k8s.gcr.io/e2e-test-images/agnhost:2.36
<customer-registry>/extensions/inspection-images/agnhost:2.36
docker push <customer-registry>/extensions/inspection-images/agnhost:2.36
  2. Install Sonobuoy and let it take care of the image pushing. Follow the instructions at XREF to install Sonobuoy. Then use the following commands to push the images to the repository for all three versions: 
    sonobuoy images push --kubernetes-version v1.23.3
--e2e-repo <customer-registry>/extensions/inspection-images --custom-registry
<customer-registry>/extensions/inspection-images

sonobuoy images push --kubernetes-version v1.22.3
--e2e-repo <customer-registry>/extensions/inspection-images --custom-registry
<customer-registry>/extensions/inspection-images

sonobuoy images push --kubernetes-version v1.21.3
--e2e-repo <customer-registry>/tmc-unstable/extensions/inspection-images
--custom-registry <customer-registry>/extensions/inspection-images
    1. In addition to the Sonobuoy commands, manually push the below image as it is not pushed as part of the Sonobuoy list: 
      docker pull k8s.gcr.io/e2e-test-images/agnhost:2.31
docker tag k8s.gcr.io/e2e-test-images/agnhost:2.31
<customer-registry>/extensions/inspection-images/agnhost:2.31
docker push <customer-registry>/extensions/inspection-images/agnhost:2.31

      More details on using these commands can be found XREF https://sonobuoy.io/docs/v0.56.13/airgap/#test-images.

      Note:

      You might encounter some errors while pushing some images as they require authentication. This is expected and should be ignored. Those images are not used as part of Conformance. Refer to the Sonobuoy https://sonobuoy.io/docs/v0.56.13/airgap/#test-images Notes section for more details.

  3. Once the images are in place, you can run the Lite and Conformance scans. 
    tmc cluster inspection scan create --cluster-name <cluster-name> --inspection-type
LITE --management-cluster-name <mc-name> --provisioner-name <provisioner-name>

tmc cluster inspection scan create --cluster-name <cluster-name> --inspection-type
CONFORMANCE --management-cluster-name <mc-name> --provisioner-name
<provisioner-name>
    Note: The inspection type must be in all capitals as shown above.

Results