C-0078 - Images from private registry

Images from private registry

Framework

Description of the the issue

The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the “Access managed identity credential” technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node’s IAM role.Note, this control is configurable. See bellow the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pods, ReplicaSet, ServiceAccounts, StatefulSet

What does this control test

Checks if image is from allowed listed registry and has no imagePullSecrets. Checks if more than one service account has access to an ImagePullSecrets.

Remediation

You should use private container repositories as using public repositories might add to your risk.

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Allowed image repositories

imageRepositoryAllowList
Kubescape checks that all containers are using an image from an allowed repository from the following list.

Example

No example


Did this page help you?