All configured ImageStreams are configured to periodically check for updates

An XCCDF Rule

Description

The configuration imagestream.spec.tags.importPolicy.scheduled determines whether the imagestream is configured to periodically check for updates. This is useful when working with an external container image registry, to periodically re-import an image, for example to get latest security updates.

You can set the scheduled update by calling:

$ oc patch imagestream NAME -n NAMESPACE --type merge -p '{"spec":{"tags":[{"name":"TAG_NAME","importPolicy":{"scheduled":true}}]}}'

For more information, follow the ImageStreams documentation

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/image.openshift.io/v1/imagestreams API endpoint, filter with with the jq utility using the following filter [.items[]] | map(.spec.tags[]?.importPolicy.scheduled != true) | any and persist it to the local /apis/image.openshift.io/v1/imagestreams#47d97a900e89c07d2fcec9092f067d294f3d90e7c02e37b073c60576a6fa602f file.

Rationale

Periodical refresh of container images helps keep the images up-to-date and apply any relevant updates in a timely manner.

ID: xccdf_org.ssgproject.content_rule_imagestream_sets_schedule
Severity: Medium
References: SI-2(c)

SRG-APP-000456-CTR-001125
Updated: about 1 year ago