• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Tutorials
  • SBOM & SCA
  • Scan container images in K8s cluster

Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate

Deepfactor provides helm charts that install a mutating admission webhook and one or more scan pods in your K8s cluster. Deepfactor can automatically scan container images used by pods in your K8s cluster and also observe running containers for runtime security vulnerabilities. Deepfactor can also correlate the results of the two.

The webhook listens to pod create events and then determines if the container images used in the application pod need to be scanned or not based upon the cluster and namespace configuration. If the container image needs to be scanned, webhook passes that information over the scan pod which then performs the actual scan of the container image. If you are deploying container images from private ECR in your Amazon EKS workloads, then the Deepfactor scan pod will need to authenticate with your private ECR in order to scan the image.

If you are using EKS to run workloads on EC2 machines from private ECR, then please refer to

Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on EC2

The following document describes how you can provide Deepfactor scan pod access to your private ECR when your workloads are running on AWS Fargate using EKS.

Create a K8s secret for registry credentials #

In this section, we will create a K8s secret that will be passed to the Deepfactor scan pod to indicate that container images are hosted on private ECR.

Create a docker config json file

Create a file named dockerconfig.json with the following contents

{
  "credsStore": "ecr-login"
}

#

Create a K8s secret from the docker config file

Create a K8s secret from the docker config file created in the previous step using the following command

kubectl create secret generic regcred \
  --from-file=.dockerconfigjson=dockerconfig.json \
  --type=kubernetes.io/dockerconfigjson --namespace=df-webhook

The above command assumes that you have already created the df-webhook namespace. If not please use the following command to create the namespace before running the create secret command.

kubectl create ns df-webhook

#

#

Create a service account with required IAM policies #

The containers running in the Fargate pod can’t assume the IAM permissions associated with a pod execution role. So, even though the pod execution role may have permissions to pull container images from ECR, Deepfactor scan container cannot pull images by assuming the pod execution role. In order to allow Deepfactor scan container to pull your application’s container images from private ECR, we need to create IAM roles for service accounts. The following section describes the steps to create a service account that can assume an IAM role that has sufficient permissions to pull container images from private ECR.

Creating an IAM OIDC provider for your cluster

Follow the steps in the below AWS article. You need to perform this step only once per K8s cluster.

Creating an IAM OIDC provider for your cluster

Configuring a K8s service account to assume an AWS IAM role

In this step, we will create a K8s service account for Deepfactor and allow that service account to assume an IAM role.

eksctl create iamserviceaccount --name df-service-account \
--namespace df-webhook --cluster YOUR_K8s_CLUSTER_NAME \
--role-name "df-webhook-role" \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
--approve --override-existing-serviceaccounts

Please replace YOUR_K8s_CLUSTER_NAME with the name of your EKS Fargate cluster.

where

df-service-account is the name of the service account that will be created

df-webhook-role is the name of the IAM role that will be created

AmazonEC2ContainerRegistryReadOnly is the AWS managed policy that provides read only access to your ECR

You can read more about this here.

#

Provide the service account & secret name in Deepfactor helm override parameters #

Please provide the name of the K8s secret & service account created in the above steps in the override.yaml file used in installing the Deepfactor webhook helm chart as specified below

staticscan:
  secretName: regcred
  serviceAccountName: df-service-account

Install the Deepfactor webhook helm chart and Deepfactor scan pod will now be able to pull and scan images from your private ECR.

#

Install Deepfactor K8s helm charts #

Please follow the instructions described in the following article

Install Deepfactor Mutating Webhook

Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on May 30, 2023
Scanning container images from private registries with basic authentication support in K8sScanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2

Powered by BetterDocs

Table of Contents
  • Create a K8s secret for registry credentials
    • Create a service account with required IAM policies
  • Provide the service account & secret name in Deepfactor helm override parameters
    • Install Deepfactor K8s helm charts
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure