Rule ID
SV-260942r986164_rule
Version
V2R1
Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any container image to be introduced and instantiated within MKE may introduce malicious code and vulnerabilities to the platform and the hosting system. MKE registry must deny all container images except for those signed by organizational-approved sources.
On each node, check that MKE is configured to only run images signed by applicable Orgs and Teams.
1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.
If Content Trust Settings "Run only signed images" is disabled, this is a finding.
2. Verify that the Orgs and Teams that images must be signed by in the drop-down matches the organizational policies.
If an Org or Team selected does not match organizational policies, this is a finding.
3. Verify that all images sitting on an MKE cluster are signed.
Via CLI:
Linux: As an MKE Admin, execute the following commands using a client bundle:
docker trust inspect $(docker images | awk '{print $1 ":" $2}')
Verify that all image tags in the output have valid signatures. If the images are not signed, this is a finding.On each node, enable Content Trust enforcement in MKE.
1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.
Under Content Trust Settings section, enable "Run only signed images".
2. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.
Click "Add Team +" and set the appropriate Orgs and Teams that must sign images. Use the drop-down ("v") that follows to match the organizational policies.
Remove any unwanted teams by clicking the minus symbol.
Click "Save".
3. Manually remove any unsigned images sitting on an MKE cluster by executing the following:
docker rmi <IMAGE_ID>