Configure ImagePruner so that images that are no longer needed are automatically removed

An XCCDF Rule

Description

Images from the internal registry that are no longer required by the system due to age, status, or exceed limits are automatically pruned. Cluster administrators can configure the Pruning Custom Resource, or suspend it.

For more information on configuring the ImagePruner, consult the OpenShift documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/latest/html/building_applications/pruning-objects

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/imageregistry.operator.openshift.io/v1/imagepruners/cluster API endpoint to the local /apis/imageregistry.operator.openshift.io/v1/imagepruners/cluster file.

Rationale

Obsolete and stale images need to be removed from the registry to ensure the container platform maintains a secure posture. While the storing of these images does not directly pose a threat, they do increase the likelihood of these images being deployed.

Removing stale or obsolete images and only keeping the most recent versions of those that are still in use removes any possibility of vulnerable images being deployed.

ID: xccdf_org.ssgproject.content_rule_image_pruner_active
Severity: Medium
References: SI-2(6)

SRG-APP-000454-CTR-001110 SRG-APP-000454-CTR-001115

CCE-86480-1
Updated: about 1 year ago