C-0001 - Forbidden Container Registries
Forbidden Container Registries
Description of the the issue
Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious. Building images based on untrusted base images can also lead to similar results.Note, this control is configurable. See below the details.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Checking image from pod spec, if the registry of the image is from the list of blocked registries we raise an alert.
Limit the registries from which you pull container images from
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Kubescape checks none of these public registries are in use.
Registries block list
Kubescape checks none of the following registries are in use.
apiVersion: v1 kind: Pod metadata: name: privileged spec: containers: - name: pause image: k8s.gcr.io/pause # This is the line we check against the configured allowed registries
Updated about 8 hours ago