Private registry support for Kubernetes

KubeClarity uses k8schain for authenticating to the registries. If the necessary service credentials are not discoverable by the k8schain, you can define them as secrets as described below.

In addition, if service credentials are not located in the kubeclarity namespace, set CREDS_SECRET_NAMESPACE to kubeclarity Deployment.

When using Helm charts, CREDS_SECRET_NAMESPACE is set to the release namespace installed kubeclarity.

Amazon ECR

  1. Create an AWS IAM user with AmazonEC2ContainerRegistryFullAccess permissions.

  2. Use the user credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION) to create the following secret:

    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Secret
      name: ecr-sa
      namespace: kubeclarity
    type: Opaque
      AWS_ACCESS_KEY_ID: $(echo -n 'XXXX'| base64 -w0)
      AWS_SECRET_ACCESS_KEY: $(echo -n 'XXXX'| base64 -w0)
      AWS_DEFAULT_REGION: $(echo -n 'XXXX'| base64 -w0)


    • The name of the secret must be ecr-sa
    • The secret data keys must be set to AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION

Google GCR

  1. Create a Google service account with Artifact Registry Reader permissions.

  2. Use the service account json file to create the following secret:

    kubectl --namespace kubeclarity create secret generic --from-file=sa.json gcr-sa


    • Secret name must be gcr-sa
    • sa.json must be the name of the service account json file when generating the secret
    • KubeClarity is using application default credentials. These only work when running KubeClarity from GCP.