OpenShift must remove old components after updated versions have been installed.
An XCCDF Rule
Description
<VulnDiscussion>Previous versions of OpenShift components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute which contain vulnerabilities. When these components are deleted, the likelihood of this happening is removed. Satisfies: SRG-APP-000454-CTR-001110, SRG-APP-000454-CTR-001115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-257570r961677_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Enable the image pruner to automate the pruning of images from the cluster by executing the following:
oc patch imagepruners.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"suspend":false}}'
For additional details on configuring the image pruner operator, refer to the following document:
https://docs.openshift.com/container-platform/4.8/applications/pruning-objects.html#pruning-images_pruning-objects