Private Container Registry for Cloud Native Protection

When using Exocompute, Rubrik will need to download Docker container images to perform operations on your EKS cluster. These images are downloaded from an Elastic Container Registry (ECR) hosted by Rubrik. If you want the images downloaded from a self-hosted registry, you can use Rubrik's Private Container Registry (PCR) offering.

After you have configured PCR, you need to:

Download the Docker images, which are part of an image bundle, from Rubrik's ECR.
Notify Rubrik of the approval or rejection status of an image bundle.

Note: For the GQL queries and mutations mentioned below, reference the API documentation.

Downloading an image bundle

To download an image bundle from Rubrik's ECR, use the following:

QUERY='{"query": "query ExotaskImageBundle {
  exotaskImageBundle {
  azureImages{
    bundleVersion
    repoUrl
    bundleImages
    {
      name
      tag
      sha
    }
  },
  awsImages{
    bundleVersion
    repoUrl
    bundleImages
    {
      name
      tag
      sha
    }
    eksVersion
  }
  }
}
"}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $QUERY)"

Query input

If you are using BYOK with AWS, use the following input

{
  "input": {
    "eksVersion": "<EksVersion>"
  }
}

If you are not using BYOK with AWS, no input is needed.

Steps to download the images from AWS ECR:

Ensure that you download images from the AWS account you whitelisted during PCR setup. Otherwise, you will not be authorized to pull the Docker images from Rubrik's ECR.

Install docker on your system and ensure that the docker daemon is running.
Install and configure the aws CLI.
Use the response of the exotaskImageBundle GQL API- exotaskImageBundle.awsImages to log in to Rubrik's ECR and download the Docker images. For more information, see Rubrik's python script.
If you are using your own script and uploading the images to your PCR, tag the images with the bundle version you got from Rubrik as part of the exotaskImageBundle GQL API. If you use Rubrik's Python script, the script will automatically tag the images with the bundle version.

Steps to download the images from Azure ACR:

Ensure that you download images using the Azure AppID that you whitelisted during PCR setup. Otherwise, you will not be authorized to pull the Docker images from Rubrik's ACR.

Install docker on your system and ensure that the docker daemon is running.
Install and configure the Azure CLI.
Use the response of the exotaskImageBundle GQL API- exotaskImageBundle.azureImages to log in to Rubrik's ACR and download the Docker images. For more information, see Rubrik's python script.
If you are using your own script and uploading the images to your PCR, tag the images with the bundle version you got from Rubrik as part of the exotaskImageBundle GQL API. If you use Rubrik's Python script, the script will automatically tag the images with the bundle version.

Image bundle approval

To approve an image bundle, use the following (EKS version is needed only if AWS is being used):

MUTATION='{"mutation": "mutation SetBundleApprovalStatus($input: SetBundleApprovalStatusInput!) {
  setBundleApprovalStatus(input: $input)
}
"}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

Mutation input

{
  "input": {
    "bundleVersion": "<BundleVersion>",
    "bundleMetadata": {
      "eksVersion": "<EKSVersion>"
    },
    "approvalStatus": "<ApprovalStatus>"
  }
}

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search