Allowed registries are configured

An XCCDF Rule

Description

The configuration registrySources.allowedRegistries determines the permitted registries that the OpenShift container runtime can access for builds and pods. This configuration setting ensures that all registries other than those specified are blocked. You can set the allowed repositories by applying the following manifest using

oc patch

, e.g. if you save the following snippet to

/tmp/allowed-registries-patch.yaml

spec:
  registrySources:
    allowedRegistries:
    - my-trusted-registry.internal.example.com

you would call

oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-registries-patch.yaml)" --type=merge

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/images/cluster API endpoint to the local /apis/config.openshift.io/v1/images/cluster file.

Rationale

Allowed registries should be configured to restrict the registries that the OpenShift container runtime can access, and all other registries should be blocked.

ID: xccdf_org.ssgproject.content_rule_ocp_allowed_registries
Severity: Medium
References: CM-11 CM-5(3) CM-7(2) CM-7(5)

SRG-APP-000456-CTR-001125

5.5.1
Updated: about 1 year ago