C-0289 - Configure Image Provenance using ImagePolicyWebhook admission controller

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.10.0

Severity

High

Description of the the issue

Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster.

Related resources

What does this control test

Configure Image Provenance for your deployment.

How to check it manually

Review the pod definitions in your cluster and verify that image provenance is configured as appropriate.

Remediation

Follow the Kubernetes documentation and setup image provenance.

Impact Statement

You need to regularly maintain your provenance configuration based on container image updates.

Default Value

By default, image provenance is not set.

Example

No example