I'm using GCR (Google Container Registry) as my Docker image registry in service of GKE (Google Kubernetes Engine) deployments. My penetration testing team has requested I make the Docker images from GCR available for them for testing.
I can create the Docker images locally but that is not quite what they are after.
How can I go about downloading a Docker image from GCR to my PC?
And then following on from that, how can I go about copying the Docker image and handing it over to the penetration testing team.
Quoting from the documentation:
You can access Container Registry through secure HTTPS endpoints, which allow you to push, pull, and manage images from any system, VM instance, or your own hardware. Additionally, you can use the Docker credential helper command-line tool to configure Docker to authenticate directly with Container Registry.
As you can check here the way to proceed to to grant to one or more user the permission inside a project to access the container register:
Pull (Read Only)    
roles/storage.objectViewer  Storage Object Viewer :    
 - storage.objects.get
 - storage.objects.listOnce you have done this you can install the classical google Cloud SDK and you logged in, you should be able to authenticate docker and pull the image running:
  $ gcloud auth configure-docker
  $ docker pull [HOSTNAME]/[PROJECT-ID]/[IMAGE][:TAG]Notice that you can also decide to create an image public and pull it running only the classical:
  $ docker pull [HOSTNAME]/[PROJECT-ID]/[IMAGE][:TAG]Step to Step guide showing how to do it.
Since it seems that you are interested to save it on your local disk in a nice format and hand it over to an other team, these are the possible steps to do so:
$ gcloud auth configure-docker
$ docker pull [HOSTNAME]/[PROJECT-ID]/[IMAGE][:TAG]
$ docker save IMAGENAME:TAG -o FILENAME.tar
Notice that as far as I now you can save images merely if they are present running docker images
Further documentation: Difference between save and export in Docker