C-0001 - Forbidden Container Registries
Framework
Severity
High
Description of the the issue
Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious. Building images based on untrusted base images can also lead to similar results.Note, this control is configurable. See below the details.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Checking image from pod spec, if the registry of the image is from the list of blocked registries we raise an alert.
Remediation
Limit the registries from which you pull container images from
Configuration
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Public registries
publicRegistries
Kubescape checks none of these public container registries are in use.
Registries block list
untrustedRegistries
Kubescape checks none of these user-provided container registries are in use.
Example
apiVersion: v1
kind: Pod
metadata:
name: privileged
spec:
containers:
- name: pause
image: k8s.gcr.io/pause # This is the line we check against the configured allowed registries
Updated 11 days ago