How to save SUSE NeuVector Docker images to a local Registry

With Dockerhub rate limit in place, it is common to encounter the following error.

You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits

This means the limit of Docker images that can be downloaded from Docker Hub with an anonymous user has been reached.

https://docs.docker.com/docker-hub/download-rate-limit/ 

The best practice would be for the administrators of the internal Registry to create a repository that acts as a reverse proxy (with cache) towards Docker Hub (or, more precisely, towards docker.io/neuvector/).
In this way, the images will be downloaded only once and saved locally in the Registry cache as defined by policy.
Another best practice after the first download should be to move the images used in QA/PROD to a local repository, i.e., move it from the cache and make it permanent in the Registry storage.

Let’s try to summarise the steps in points:
1. Create a repository that acts as a proxy cache towards Docker Hub.
2. If the cache has short retention and you use NeuVector in QA/PROD environments, move the downloaded images to local repositories that allow the data to persist for longer.
3. Create a technical user with READ privileges on the repositories created in points 1 and 2 (in some Registries the permission could be called VIEW, but the meaning is that it has the possibility of doing PULL only).
4. Create the Kubernetes Secret in the namespace where NeuVector was installed starting from the credentials received in point 3 (https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
5. Edit the YAML manifests as follows ->

apiVersion: apps/v1
kind: Deployment
metadata:
...
spec:
...
  template:
  ...
    spec:
      imagePullSecrets:
        - name: <THE NAME OF THE SECRET CREATED IN STEP 4>
      containers:
      - image: <THE NAME OF THE INTERNAL REGISTRY>/<THE NAME OF THE REPOSITORY THAT STORE NEUVECTOR IMAGES>/<THE NAME OF THE NEUVECTOR IMAGE>:tag
      ...

apiVersion: batch/v1
kind: CronJob
metadata:
...
spec:
...
  jobTemplate:
    spec:
      template:
      ...
        spec:
          imagePullSecrets:
            - name: <THE NAME OF THE SECRET CREATED IN STEP 4>
          containers:
          ...

6. Reapply Kubernetes NeuVector manifests.

Quay Registry useful links:
- https://access.redhat.com/documentation/en-us/red_hat_quay/3.7/html/use_red_hat_quay/quay-as-cache-proxy#doc-wrapper
- https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/use_red_hat_quay/use-quay-manage-repo#allow-user-access-user-repo
JFrog Artifactory Repository useful links:
- https://jfrog.com/help/r/jfrog-artifactory-documentation/docker-registry
- https://jfrog.com/help/r/jfrog-artifactory-documentation/remote-repositories
- https://jfrog.com/help/r/jfrog-platform-administration-documentation/jfrog-platform-permission-migration
 

Alternative

The solution above may take some time, especially if you want to create automation for moving images from one repository to another or if you're going to think carefully about a retention policy.
In this case, while the aspects described above are being defined, you can ask for a local repository, the credentials we have READ privileges on the repo, and manually pull/tag/login/push.

Example:

$ docker pull neuvector/scanner:3.231
$ docker tag docker pull neuvector/scanner:3.231 my-internal-docker-registry-name/my-internal-docker-repository-name/neuvector/scanner:3.231
$ docker login my-internal-docker-registry-name

Alternative two 

You can have up to 5000 pulls per day with a registered user of a Docker Subscription.

Note: The scanner image rebuilds daily to incorporate the latest CVE sources.  Ensure a policy is in place to update internal copy to keep it up to date.