MKE must only run signed images.

An XCCDF Rule

Description

<VulnDiscussion>Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any container image to be introduced and instantiated within MKE may introduce malicious code and vulnerabilities to the platform and the hosting system. MKE registry must deny all container images except for those signed by organizational-approved sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260942r1015772_rule
Severity: Medium
References: CCI-001749 CCI-001774 CCI-003992
Updated: 19 days ago

On each node, enable Content Trust enforcement in MKE.

1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

Under Content Trust Settings section, enable "Run only signed images".
2. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

Click "Add Team +" and set the appropriate Orgs and Teams that must sign images. Use the drop-down ("v") that follows to match the organizational policies.

Remove any unwanted teams by clicking the minus symbol.

Click "Save".

3. Manually remove any unsigned images sitting on an MKE cluster by executing the following:

docker rmi <IMAGE_ID>

MKE must only run signed images.

Description

Remediation - Manual Procedure