Ensure the Container Runtime rejects unsigned images by default

Description

The OpenShift Platform allows for verifying the signature of a container image before pulling it. this is done via the policy.json file [1] which needs to be configured via the Machine Config Operator [2].

Ensure that the default policy is "reject" in /etc/containers/policy.json, which should look as follows:

  {
    "default": [{"type": "reject"}],
    "transports":
    ...
  }

Addition of allowed registries must be an explicit action to ensure that only containers from allowed registries are used.

[1] https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md

[2] https://docs.openshift.com/container-platform/latest/security/container_security/security-container-signature.html

Rationale

By ensuring that the container runtime verifies the integrity of container images before pulling them one is able to prevent a malicious actor from introducing unauthorized images into the deployment.

ID: xccdf_org.ssgproject.content_rule_reject_unsigned_images_by_default
Severity: Medium
References: CM-11 CM-5(3) CM-7(2) CM-7(5) SA-10(1)

SRG-APP-000131-CTR-000285

CCE-90254-4
Updated: about 1 year ago