Check configured allowed registries for import uses secure protocol

An XCCDF Rule

Description

The configuration allowedRegistriesForImport limits the container image registries from which normal users may import images. This is a list of the registries that can be trusted to contain valid images and the image location configured is assumed to be secured unless configured otherwise. It is important to allow only secure registries to avoid man in the middle attacks, as the insecure image import request can be impersonated and could lead to fetching malicious content. List all the allowed repositories for import configured with insecure set to true using the following command:

oc get image.config.openshift.io/cluster -o json | jq '.spec | (.allowedRegistriesForImport[])? | select(.insecure==true)'

Remove or edit the listed registries having insecure set by using the command:

oc edit image.config.openshift.io/cluster

For more information, follow the relevant documentation.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/images/cluster API endpoint to the local /apis/config.openshift.io/v1/images/cluster file.

Rationale

Configured list of allowed registries for import should be from the secure source.

ID: xccdf_org.ssgproject.content_rule_ocp_insecure_allowed_registries_for_import
Severity: Medium
References: CM-5(3)

SRG-APP-000014-CTR-000035

5.5.1

CCE-86235-9
Updated: about 1 year ago