C-0078 - Images from allowed registry

Framework

WorkloadScan, cis-aks-t1.2.0, cis-eks-t1.2.0, ArmoBest, AllControls

Severity

Medium

Description of the the issue

If attackers get access to the cluster, they can re-point kubernetes to a compromized container repository. This control is intended to ensure that all the container images are taken from the authorized repositories only. User should list all the approved repositories in the parameters of this control so that any potential dangerous image can be identified.Note, this control is configurable. See below the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Checks if image is from allowed listed registry.

Remediation

You should enable all trusted repositories in the parameters of this control.

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Allowed image repositories

imageRepositoryAllowList
Kubescape checks that all container images are from repositories explicitly allowed in this list.

Example

No example