C-0001 - Forbidden Container Registries

Framework

Severity

High

Description of the the issue

Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious. Building images based on untrusted base images can also lead to similar results.Note, this control is configurable. See below the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Checking image from pod spec, if the registry of the image is from the list of blocked registries we raise an alert.

Remediation

Limit the registries from which you pull container images from

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Public registries

publicRegistries
Kubescape checks none of these public container registries are in use.

Registries block list

untrustedRegistries
Kubescape checks none of these user-provided container registries are in use.

Example

apiVersion: v1
kind: Pod
metadata:
  name: privileged
spec:
  containers:
    - name: pause
      image: k8s.gcr.io/pause # This is the line we check against the configured allowed registries