Private Container Registry for Cloud Native Protection

When using Exocompute, Rubrik will need to download Docker container images to perform operations on your EKS cluster. These images are downloaded from an Elastic Container Registry (ECR) hosted by Rubrik. If you want the images downloaded from a self-hosted registry, you can use Rubrik's Private Container Registry (PCR) offering.

After you have configured PCR, you need to:

Download the Docker images, which are part of an image bundle, from Rubrik's ECR.
Notify Rubrik of the approval or rejection status of an image bundle.

Note: For the GQL queries and mutations mentioned below, reference the API documentation.

Downloading an image bundle

To download an image bundle from Rubrik's ECR, use the following:

QUERY='{"query": "query ExotaskImageBundle {
  exotaskImageBundle {
    bundleVersion
    repoUrl
    bundleImages {
      name
      tag
      sha
    }
    eksVersion
  }
}
"}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $QUERY)"

Query input

If you are using BYOK, use the following input

{
  "input": {
    "eksVersion": "<EksVersion>"
  }
}

If you are not using BYOK, no input is needed.

Steps to download the images:

Ensure that you download images from the AWS account you whitelisted during PCR setup. Otherwise, you will not be authorized to pull the Docker images from Rubrik's ECR.

Install docker on your system and ensure that the docker daemon is running.
Install and configure the aws CLI.
Use the response of the exotaskImageBundle GQL API to log in to Rubrik's ECR and download the Docker images. For more information, see Rubrik's python script.
If you are using your own script and uploading the images to your PCR, tag the images with the bundle version you got from Rubrik as part of the exotaskImageBundle GQL API. If you use Rubrik's Python script, the script will automatically tag the images with the bundle version.

Image bundle approval

To approve an image bundle, use the following:

MUTATION='{"mutation": "mutation SetBundleApprovalStatus($input: SetBundleApprovalStatusInput!) {
  setBundleApprovalStatus(input: $input)
}
"}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

Mutation input

{
  "input": {
    "bundleVersion": "<BundleVersion>",
    "bundleMetadata": {
      "eksVersion": "<EKSVersion>"
    },
    "approvalStatus": "<ApprovalStatus>"
  }
}

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search