Export Docker image from GCR (Google Container Registry)

2
votes

I'm using GCR (Google Container Registry) as my Docker image registry in service of GKE (Google Kubernetes Engine) deployments. My penetration testing team has requested I make the Docker images from GCR available for them for testing.

I can create the Docker images locally but that is not quite what they are after.

How can I go about downloading a Docker image from GCR to my PC?

And then following on from that, how can I go about copying the Docker image and handing it over to the penetration testing team.

1
dockergoogle-cloud-platformgoogle-kubernetes-enginegoogle-container-registry
Did you check if it was actually solving your issue? - GalloCedrone
@GalloCedrone, I was hooping to download the Docker image and hand it over to the penetration testing team on a USB drive. Now, this is almost certainly my lack of understanding Docker showing, but following on from a successful pull, how do I get access to the actual image file? Am I just not getting how this works? The penetration testing team is a contracted team so I'd rather not give the access to the our entire GCR. - Frank
@GalloCedrone, I've re-read my question and to your credit, I did not express the need to hand the image over to the penetration testing team very well. I've updated my question to more clearly express this point. - Frank
The correct way to proceed and also the one that I guess the penetration testing team would prefer (If they have internet access) is the one I described you. However since you are interested to do so I've updated the answer showing how to do it - GalloCedrone

1 Answers

4
votes

Quoting from the documentation:

You can access Container Registry through secure HTTPS endpoints, which allow you to push, pull, and manage images from any system, VM instance, or your own hardware. Additionally, you can use the Docker credential helper command-line tool to configure Docker to authenticate directly with Container Registry.

As you can check here the way to proceed to to grant to one or more user the permission inside a project to access the container register:

Pull (Read Only)    
roles/storage.objectViewer  Storage Object Viewer :    
 - storage.objects.get
 - storage.objects.list

Once you have done this you can install the classical google Cloud SDK and you logged in, you should be able to authenticate docker and pull the image running:

  $ gcloud auth configure-docker
  $ docker pull [HOSTNAME]/[PROJECT-ID]/[IMAGE][:TAG]

Notice that you can also decide to create an image public and pull it running only the classical:

  $ docker pull [HOSTNAME]/[PROJECT-ID]/[IMAGE][:TAG]

Step to Step guide showing how to do it.

UPDATE

Since it seems that you are interested to save it on your local disk in a nice format and hand it over to an other team, these are the possible steps to do so:

$ gcloud auth configure-docker
$ docker pull [HOSTNAME]/[PROJECT-ID]/[IMAGE][:TAG]
$ docker save IMAGENAME:TAG -o FILENAME.tar

Notice that as far as I now you can save images merely if they are present running docker images

Further documentation: Difference between save and export in Docker