Image Allowlist 1.2.7

Enforces that every container image is on a defined allowlist. Allowed images can be defined for each namespace individually or via a global allowlist. If an image matches one of the registries/images (defined either globally or for the namespace it is deployed to) no violation is reported.

To add images to the global allowlist, add them as parameters to the constraint defined in imageallowlist-constraint.yaml:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ImageAllowlist
[...]
spec:
  parameters:
    trustedregistries:
      - trusted.registry.com
      - another.registry.com/my-repo
    trustedimages:
      - registry.com/repo/trusted-image
      - trusted-image
      - trusted-image-with-version:v1.0

Namespace scoped allowlists are maintained via annotations on the Namespace object:

apiVersion: v1
  kind: Namespace
  metadata:
    name: ns-with-allowlist
    annotations:
      securitytower.io/imageallowlist.trustedregistries: >-
        ns-trusted.registry.com
        ns-another.registry.com/my-repo
      securitytower.io/imageallowlist.trustedimages: >-
        ns-registry.com/repo/trusted-image
        ns-trusted-image
        ns-trusted-image-with-version:v1.0

Note that this policy is part of the following security standards:

  • cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.5.1
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.1.5
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A6
  • Images
  • Security
  • bsi/containerization
  • cis/kubernetes
  • nist/SP.800-190

Applies to

  • Pod
  • CronJob
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job

Example

apiVersion: v1
kind: Namespace
metadata:
  name: ns-with-allowlist
  annotations:
    securitytower.io/imageallowlist.trustedregistries: "private.registry.com"
    securitytower.io/imageallowlist.trustedimages: >-
      fluent/fluent-bit
      quay.io/fluentd_elasticsearch/fluentd
...
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment
  namespace: ns-with-allowlist
spec:
  selector:
    matchLabels:
      app: test-deployment
  template:
    metadata:
      labels:
        app: test-deployment
    spec:
      containers:
        - name: nginx
-         image: nginx:1.14.2
+         image: private.registry.com/nginx:1.14.2

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.imageallowlist as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.imageallowlist: |-
      The external repository is used because of ... provide your reasoning here.
...