C-0001 - Forbidden Container Registries

Forbidden Container Registries



Description of the the issue

Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious. Building images based on untrusted base images can also lead to similar results.Note, this control is configurable. See bellow the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pods, ReplicaSet, StatefulSet

What does this control test

Checking image from pod spec, if the registry of the image is from the list of blocked registries we raise an alert.


Limit the registries from which you pull container images from


This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Public registries

Kubescape checks none of these public registries are in use.

Registries block list

Kubescape checks none of the following registries are in use.


apiVersion: v1
kind: Pod
  name: privileged
    - name: pause
      image: k8s.gcr.io/pause # This is the line we check against the configured allowed registries 

Did this page help you?