Skip to main content
RAD Security produces a comprehensive SBOM (Software Bill of Materials) for your container images compiled within your cluster infrastructure. The rad-sbom plugin downloads images from registry APIs and requires authentication for private repositories. Using imagePullSecrets isn’t optimal security-wise, so managed identity authentication is recommended for Azure ACR integration.

Prerequisites

  • Azure CLI
  • Helm CLI

Configuration Steps

1. Login to Azure CLI

az login

2. Verify Cluster Configuration

Ensure the cluster has oidcIssuerProfile and workloadIdentity enabled: 
az aks show -g <resource-group> -n <cluster-name>

3. Create rad-sbom Identity

export RG=<resource-group>
export CLUSTER_NAME=<cluster-name>
export LOC=<location>

export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g $RG --query "oidcIssuerProfile.issuerUrl" -otsv)"

az identity create --name rad-sbom -g $RG --location $LOC

4. Get Client ID

az identity show -g $RG --name rad-sbom --query 'clientId' -o tsv

5. Assign AcrPull Role

export RG=<resource-group>
export ACR_NAME=<acr-name>
export SUBSCRIPTION_ID=<subscription-id>
export RAD_SBOM_CLIENT_ID=<rad-sbom-identity-client-id>

az role assignment create --assignee $RAD_SBOM_CLIENT_ID --role "AcrPull" --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.ContainerRegistry/registries/$ACR_NAME"

6. Federate Identity

export RG=<resource-group>
export CLUSTER_NAME=<cluster-name>
export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g $RG --query "oidcIssuerProfile.issuerUrl" -otsv)"
export NAMESPACE=<namespace>

az identity federated-credential create \
  --name rad-sbom-to-${CLUSTER_NAME} \
  --identity-name rad-sbom \
  --resource-group $RG \
  --issuer ${AKS_OIDC_ISSUER} \
  --subject system:serviceaccount:${NAMESPACE}:rad-sbom

7. Install rad-plugins

Add the following to your values.yaml: 
rad:
  apiUrl: "https://api.rad.security"
  base64AccessKeyId: "<rad-access-key-id>"
  base64SecretKey: "<rad-secret-key>"
  clusterName: "<cluster-name>"
  azureWorkloadIdentityClientId: "<identity-client-id>"
Continue installation per the ArtifactHub documentation.