Enforcing container image security
By using the IBM Container Image Security Enforcement feature, you can verify the integrity of your container images before you deploy them to an IBM Cloud Private cluster.
IBM Container Image Security Enforcement controls where images are deployed from, and enforce Vulnerability Advisor (VA) policies. If an image does not meet your defined policy requirements, the pod is not deployed.
Policy definition
For each image in a repository, an image policy scope of either cluster
or namespace
is applied. When you deploy an application, IBM Container Image Security Enforcement checks whether the Kubernetes namespace that you
are deploying to has any policy regulations that must be applied. If a namespace
policy does not exist, then the cluster
policy is applied. If the namespace
and cluster
policies overlap, the
cluster scope is ignored. If neither a cluster
nor a namespace
scope policy exists, your deployment fails to launch. You might see an error message similar to the following message:
... release ... failed: Internal error occurred: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request:
Deny "docker.io/rook/rook:v0.7.1", no matching repositories in ClusterImagePolicy and no ImagePolicies in the "default" namespace
Note: Any pod that is deployed to namespaces that are reserved for IBM Cloud Private services, bypasses the container image security check. The following namespaces are reserved for IBM Cloud Private services:
kube-system
cert-manager
istio-system
To resolve the issue, create a policy.
The policy definition is configured in the <installation_cluster>/cluster/config.yaml
file or by using the management console.
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: <ClusterImagePolicy_or_ImagePolicy>
metadata:
name: <crd_name>
spec:
repositories:
- name: <repository_name>
policy:
va:
enabled: <true_or_false>
<repository_name>
- specifies the repositories to allow images from. This is the list of repositories that contain trusted content. A wildcard (*
) character is allowed in the repository name. This wildcard (*
) character denotes that images from all repositories are allowed or trusted. To set all your repositories to trusted, set the repository name to (*
) and omit the policy subsections. Repositories by default require a policy check, with the exception of the defaultmycluster.icp:8500
repository. An empty or blank repository name value blocks deployment of all images.- When
va
is set toenabled: true
for a container registry, any attempt to deploy pods from images in that registry is blocked. If you want to deploy images from these registries, you must remove theva
policy specification. The default IBM Cloud Private built-in container registry is the only registry that supports the Vulnerability Advisor policy enforcement.
Enabling and disabling IBM Container Image Security Enforcement
IBM Container Image Security Enforcement is available as a Kubernetes chart. IBM Container Image Security Enforcement is enabled by default during the IBM Cloud Private installation.
To disable IBM Container Image Security Enforcement, during installation, add image_security_enforcement
to the list of services that are disabled (management_services
) in the IBM Cloud Private cluster config.yaml
.
After installation of an IBM Cloud Private cluster, the cluster administrator can uninstall the Kubernetes chart.
Default policy
The default security enforcement image policy is of scope cluster
. With this policy, only the images that are stored in the built-in container registry (the first one in the policy white list) and the images that are used in the IBM
Cloud Private Catalog (others in the policy white list) can be used in the cluster. For example:
image-security-enforcement:
clusterImagePolicy:
- name: "{{ cluster_CA_domain }}:8500/*"
- name: "registry.bluemix.net/ibm/*"
- name: ...
Note: By default, the Vulnerability Advisor (VA) Container Image Security Enforcement doesn't apply to the Default policy
.
Customizing your policy (during installation)
You can modify the image policy, either at the cluster
or namespace
level after you install your IBM Cloud Private cluster. In your policy, you can specify different enforcement rules for different images.
You can also pre-define the cluster
scope image policy before you install IBM Cloud Private. This pre-defined setting overwrites the default cluster
scope image policy during installation.
To pre-define the cluster
scope image policy, before installation, modify the config.yaml
file.
For example, by adding the following to the config.yaml
file, you allow all the images that are in the quay.io
repository to be used for deployments in your cluster.
image-security-enforcement:
clusterImagePolicy:
- name: "quay.io/*"
policy:
Customizing your policy (post installation)
You can also deploy the policy as a Kubernetes object post installation of your cluster. To deploy the policy as a Kubernetes object, use the kubectl apply
command.
-
Create a
policy.yaml
file that holds the policy specifications. The following are a few sample policy configurations that you might use for yourpolicy.yaml
file.-
This policy allows container images from Docker Hub container Registry, CoreOS container registry, Google container registry, Azure container registry , Amazon Elastic container registry and IBM container registry.
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 kind: ClusterImagePolicy metadata: name: ibmcloud-default-cluster-image-policy spec: repositories: # Docker hub Container Registry - name: "docker.io/*" policy: # CoreOS Container Registry - name: "quay.io/*" policy: # Google Container Registry - name: "gcr.io/*" policy: # Azure Container Registry - name: "*azurecr.io/*" policy: # Amazon Elastic Container Registry - name: "*amazonaws.com/*" policy: # IBM Container Registry - name: "registry*.bluemix.net/*" policy:
-
This policy allows images from any container registry.
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 kind: ClusterImagePolicy metadata: name: ibmcloud-default-cluster-image-policy spec: repositories: # allow all images - name: "*" policy:
-
This policy denies all images from any container Registry, including the IBM Container Image Security Enforcement image.
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 kind: ClusterImagePolicy metadata: name: ibmcloud-default-cluster-image-policy spec: repositories:
-
-
Apply the policy.
kubectl apply -f policy.yaml
Image security enforcement by using the IBM Cloud Private Web console
You can create an image enforcement policy by using the IBM Cloud Private Web console that sets guidelines for pods that are created in your cluster. Complete the following steps to create an image policy:
-
Log in to the IBM Cloud Private Web console of your cluster with an ID that has cluster administrator access.
-
In the navigation menu, select Manage > Resource Security.
-
Select Image Policies. A list of available image policies is displayed.
-
Select Create Image Policy.
-
Enter a name for your image policy. The name must be a single string that only contains letters, numbers, underscores (_), and hyphens (-).
-
Select the Scope of the policy to define what resources are restricted by the policy from the following options:
- Cluster - The policy applies to everything in the current cluster.
- Namespace - The policy applies to everything in the specified namespace.
-
If you selected namespace as your scope, select an existing namespace from the list to identify which name.
-
Select Add Registry to specify a trusted area from which you can receive images. The default behavior is to reject all images. By adding a registry, it identifies that location as a permitted source for images.
- Specify a Registry URL to allow that registry as a trusted source. The Registry URL has a format similar to the following examples:
- Permit all images from docker hub:
docker.io/*
- Permit all images from the ibmcom repository:
docker.io/ibmcom/*
- Permit all images from docker hub:
- Specify whether you want to run the Vulnerability Advisor scan policy, if you have it installed. If it is installed and this setting is enabled, the image must pass the Vulnerability Advisor scan before it is installed.
- Select Add to create the new registry.
- Specify a Registry URL to allow that registry as a trusted source. The Registry URL has a format similar to the following examples:
-
Select Add to save and create the new image policy.
-
You can remove an image policy by selecting the Open and close the list of options (...) icon for the image policy, and then selecting Remove.