Allowed registries for import are configured

An XCCDF Rule

Description

The configuration allowedRegistriesForImport limits the container image registries from which normal users may import images. This is important to control, as a user who can stand up a malicious registry can then import content which claims to include the SHAs of legitimate content layers. You can set the allowed repositories for import by applying the following manifest using

oc patch

, e.g. if you save the following snippet to

/tmp/allowed-import-registries-patch.yaml

spec:
  allowedRegistriesForImport:
  - domainName: my-trusted-registry.internal.example.com
    insecure: false

you would call

oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-import-registries-patch.yaml)" --type=merge

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/images/cluster API endpoint to the local /apis/config.openshift.io/v1/images/cluster file.

Rationale

Allowed registries for import should be specified to limit the registries from which users may import images.

ID: xccdf_org.ssgproject.content_rule_ocp_allowed_registries_for_import
Severity: Medium
References: CM-11 CM-5(3) CM-7(2) CM-7(5)

SRG-APP-000456-CTR-001125

5.5.1
Updated: about 1 year ago