C-0078 - Images from allowed registry


AllControls, WorkloadScan, cis-eks-t1.2.0, cis-aks-t1.2.0, ArmoBest



Description of the the issue

If attackers get access to the cluster, they can re-point kubernetes to a compromized container repository. This control is intended to ensure that all the container images are taken from the authorized repositories only. User should list all the approved repositories in the parameters of this control so that any potential dangerous image can be identified.Note, this control is configurable. See below the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Checks if image is from allowed listed registry.


You should enable all trusted repositories in the parameters of this control.


This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Allowed image repositories

Kubescape checks that all container images are from repositories explicitly allowed in this list.


No example