Check if any insecure registry sources is configured

An XCCDF Rule

Description

The configuration registrySources.insecureRegistries determines the insecure registries that the OpenShift container runtime can access for builds and pods. This configuration setting is for accessing the configured registries without TLS validation which could lead to security breaches and should be avoided. Remove any insecureRegistries configured using the following command:

oc patch image.config.openshift.io cluster --type=json -p "[{'op': 'remove', 'path': '/spec/registrySources/insecureRegistries'}]"

For more information, follow the relevant documentation.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/images/cluster API endpoint to the local /apis/config.openshift.io/v1/images/cluster file.

Rationale

Insecure registries should not be configured, which would restrict the possibilities of OpenShift container runtime accessing registries which cannot be validated.

ID: xccdf_org.ssgproject.content_rule_ocp_insecure_registries
Severity: Medium
References: CM-5(3)

SRG-APP-000014-CTR-000035

5.5.1

CCE-86123-7
Updated: about 1 year ago