C-0078 - Images from allowed registry
Framework
WorkloadScan, cis-aks-t1.2.0, cis-eks-t1.2.0, ArmoBest, AllControls
Severity
Medium
Description of the the issue
If attackers get access to the cluster, they can re-point kubernetes to a compromized container repository. This control is intended to ensure that all the container images are taken from the authorized repositories only. User should list all the approved repositories in the parameters of this control so that any potential dangerous image can be identified.Note, this control is configurable. See below the details.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Checks if image is from allowed listed registry.
Remediation
You should enable all trusted repositories in the parameters of this control.
Configuration
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Allowed image repositories
imageRepositoryAllowList
Kubescape checks that all container images are from repositories explicitly allowed in this list.
Example
No example
Updated 11 days ago