C-0083 - Workloads with Critical vulnerabilities exposed to external traffic
Framework
Severity
High
Description of the the issue
Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service assigned to them.
Related resources
Pod, Service
What does this control test
This control enumerates external facing workloads, that have LoadBalancer or NodePort services and checks image vulnerability information to see if the image has critical vulnerabilities.
Remediation
Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.
Example
@controls/examples/c83.yaml
Updated 11 days ago