V-233231

Discussion

Obsolete and stale images need to be removed from the registry to ensure the container platform maintains a secure posture. While the storing of these images does not directly pose a threat, they do increase the likelihood of these images being deployed. Removing stale or obsolete images and only keeping the most recent versions of those that are still in use removes any possibility of vulnerable images being deployed.

Check Content

Review container platform registry documentation and configuration to determine if organization-defined images contains latest approved vendor software image version. 

If organization-defined images do not contain the latest approved vendor software image version, this is a finding. 

Review container platform registry documentation and configuration to determine if organization-defined images are removed after updated versions have been installed. 

If organization-defined images are not removed after updated versions have been installed, this is a finding. 

Review container platform runtime documentation and configuration to determine if organization-defined images are executing latest image version from the container registry. 

If container platform runtime is not executing latest organization-defined images from the container platform registry, this is a finding.