Enforcing container image security

By using the IBM Container Image Security Enforcement feature, you can verify the integrity of your container images before you deploy them.

IBM Container Image Security Enforcement controls where images are deployed from, and enforces Vulnerability Advisor (VA) policies. If an image does not meet your defined policy requirements, the pod is not deployed.

Policy definition

For each image in a repository, an image policy scope of either cluster or namespace is applied. When you deploy an application, IBM Container Image Security Enforcement checks whether the Kubernetes namespace that you are deploying to has any policy regulations that must be applied. If a namespace policy does not exist, then the cluster policy is applied. If the namespace and cluster policies overlap, the cluster scope is ignored. If neither a cluster nor a namespace scope policy exists, your deployment fails to launch. You might see an error message similar to the following message:

... release ... failed: Internal error occurred: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request:
Deny "docker.io/rook/rook:v0.7.1", no matching repositories in ClusterImagePolicy and no ImagePolicies in the "default" namespace

Note: Any pod that is deployed to namespaces that are reserved for IBM Cloud Pak for Multicloud Management services, bypasses the container image security check. The following namespaces are reserved for IBM Cloud Pak for Multicloud Management services:

• ibm-common-services (Common Services)
• kube-system
• management-monitoring
• management-infrastructure-management
• management-security-services
• management-operations

To resolve the issue, create a policy.

The policy definition is configured in the <installation_cluster>/cluster/config.yaml file or by using the console.

  apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
  kind: <ClusterImagePolicy_or_ImagePolicy>
  metadata:
    name: <crd_name>
  spec:
    repositories:
    - name: <repository_name>
      policy:
        va:
          enabled: <true_or_false>

• <repository_name> - specifies the repositories to allow images from. This is the list of repositories that contain trusted content. A wildcard (*) character is allowed in the repository name. This wildcard (*) character denotes that images from all repositories are allowed or trusted. To set all your repositories to trusted, set the repository name to (*) and omit the policy subsections. Repositories, by default, require a policy check, with the exception of the default <<CLUSTER DOMAIN>>:8500 repository. The <<CLUSTER DOMAIN>>:8500 repository name is unique to your cluster. An empty or blank repository name value blocks deployment of all images.
• When va is set to enabled: true for a container registry, any attempt to deploy pods from images in that registry is blocked. If you want to deploy images from these registries, you must remove the va policy specification. The default IBM Cloud Pak for Multicloud Management built-in container registry is the only registry that supports the Vulnerability Advisor policy enforcement.

Default policy

The default security enforcement image policy is of scope cluster. With this policy, only the images that are stored in the following built-in container registry can be used in the cluster. Image Security Enforcement, by default, denies unverifiable policy content. You must enable or disable Image Security Enforcement to alter this behavior.

Note: By default, the Vulnerability Advisor (VA) Container Image Security Enforcement doesn't apply to the Default policy.

The default clusterImagePolicy custom resource definition includes the following repositories:

repositories:
      - name:  "registry.redhat.io/*"
      - name:  "cp.icr.io/cp/*"
      - name:  "icr.io/*"
      - name:  "*.icr.io/*"
      - name:  "registry*.bluemix.net/*"
      - name:  "registry.marketplace.redhat.com/*"
      - name:  "docker.elastic.co/beats/filebeat:*"
      - name:  "docker.elastic.co/elasticsearch/elasticsearch:*"
      - name:  "docker.elastic.co/kibana/kibana:*"
      - name:  "docker.elastic.co/logstash/logstash:*"
      - name:  "docker.io/alpine*"
      - name:  "docker.io/amd64/busybox*"
      - name:  "docker.io/apache/couchdb*"
      - name:  "docker.io/busybox*"
      - name:  "docker.io/cassandra:*"
      - name:  "docker.io/centos:*"
      - name:  "docker.io/consul:*"
      - name:  "docker.io/couchdb:*"
      - name:  "docker.io/db2eventstore/*"
      - name:  "docker.io/dduportal/bats:*"
      - name:  "docker.io/f5networks/k8s-bigip-ctlr:*"
      - name:  "docker.io/haproxy:*"
      - name:  "docker.io/hazelcast/hazelcast:*"
      - name:  "docker.io/hybridcloudibm/*"
      - name:  "docker.io/ibmcloudcontainers/strongswan:*"
      - name:  "docker.io/ibmcom/*"
      - name:  "docker.io/icpdashdb/*"
      - name:  "docker.io/istio/proxyv2:*"
      - name:  "docker.io/library/busybox:*"
      - name:  "docker.io/minio/mc:*"
      - name:  "docker.io/minio/minio:*"
      - name:  "docker.io/nginx:*"
      - name:  "docker.io/open-liberty:*"
      - name:  "docker.io/openliberty/*"
      - name:  "docker.io/openwhisk/*"
      - name:  "docker.io/openzipkin/zipkin:*"
      - name:  "docker.io/opsh2oai/dai-ppc64le:*"
      - name:  "docker.io/postgres:*"
      - name:  "docker.io/ppc64le/*"
      - name:  "docker.io/prom/prometheus:*"
      - name:  "docker.io/prom/statsd-exporter:*"
      - name:  "docker.io/python:*"
      - name:  "docker.io/rabbitmq:*"
      - name:  "docker.io/radial/busyboxplus:*"
      - name:  "docker.io/redis*"
      - name:  "docker.io/rook/ceph:*"
      - name:  "docker.io/rook/rook:*"
      - name:  "docker.io/skydive/*"
      - name:  "docker.io/store/ibmcorp/*"
      - name:  "docker.io/ubuntu*"
      - name:  "docker.io/vault:*"
      - name:  "docker.io/websphere-liberty:*"
      - name:  "docker.io/wurstmeister/kafka:*"
      - name:  "docker.io/zookeeper:*"
      - name:  "k8s.gcr.io/addon-resizer:*"
      - name:  "k8s.gcr.io/elasticsearch:*"
      - name:  "k8s.gcr.io/fluentd-elasticsearch:*"
      - name:  "k8s.gcr.io/hyperkube:*"
      - name:  "quay.io/ansible-tower/*"
      - name:  "quay.io/coreos/hyperkube:*"
      - name:  "quay.io/coreos/kube-rbac-proxy:*"
      - name:  "quay.io/coreos/kube-state-metrics:*"
      - name:  "quay.io/coreos/monitoring-grafana:*"
      - name:  "quay.io/kubernetes-multicluster/federation-v2:*"
      - name:  "quay.io/k8scsi/csi-attacher:*"
      - name:  "quay.io/k8scsi/driver-registrar:*"
      - name:  "quay.io/k8scsi/nfsplugin:*"
      - name:  "quay.io/multicloudlab/*"
      - name:  "quay.io/openshift-release-*"
      - name:  "quay.io/prometheus/node-exporter:*"
      - name:  "quay.io/yanweili/*"
      - name:  "registry.access.redhat.com/rhel*"
      - name:  "registry.access.redhat.com/rhscl/*"
      - name:  "registry.bluemix.net/armada-master/ibm-worker-recovery:*"
      - name:  "registry.bluemix.net/ibm/*"
      - name:  "<<CLUSTER DOMAIN>>:8500/*"
      - name:  "gcr.io/cloud-builders/gcs-fetcher:*"
      - name:  "gcr.io/knative-releases/github.com/knative/*"
      - name:  "gcr.io/k8s-prow/entrypoint:*"
      - name:  "gcr.io/tekton-releases/github.com/tektoncd/pipeline/*"

For more information about potential issues with Image Security Enforcement, see Troubleshooting container image security.

Enabling and disabling IBM Container Image Security Enforcement

IBM Container Image Security Enforcement is available as an operator. IBM Container Image Security Enforcement is disabled by default during installation.

To disable IBM Container Image Security Enforcement during installation, ensure that the toggle next to the Image signing support for image policies operator (ibm-management-image-security-enforcement) is set to False. You can add the service back by editing the YAML file later. For more information about enabling and disabling IBM Container Image Security Enforcement during installation, see Installing the IBM Cloud Pak for Multicloud Management.

To disable IBM Container Image Security Enforcement after installation, locate ibm-management-image-security-enforcement in the list of installed operators and complete the steps that are listed in Uninstalling an IBM Cloud Pak for Multicloud Management service or module.

Customizing your policy (during installation)

You can modify the image policy, either at the cluster or namespace level after you install your OpenShift Container Platform cluster. In your policy, you can specify different enforcement rules for different images.

You can also predefine the cluster scope image policy before you install OpenShift Container Platform. This predefined setting overwrites the default cluster scope image policy during installation.

To pre-define the cluster scope image policy, before installation, modify the config.yaml file.

For example, by adding the following to the config.yaml file, you allow all the images that are in the quay.io repository to be used for deployments in your cluster.

image-security-enforcement:
  clusterImagePolicy:
    - name: "quay.io/*"
      policy:

Customizing your policy (post installation)

You can also deploy the policy as a Kubernetes object post installation of your cluster. To deploy the policy as a Kubernetes object, use the kubectl apply command.

1. Create a policy.yaml file that holds the policy specifications. The following are a few sample policy configurations that you might use for your policy.yaml file.

   • This policy allows container images from Docker Hub container Registry, CoreOS container registry, Google container registry, Azure container registry , Amazon Elastic container registry and IBM container registry.

     apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
     kind: ClusterImagePolicy
     metadata:
       name: ibmcloud-default-cluster-image-policy
     spec:
       repositories:
       # Docker hub Container Registry
       - name: "docker.io/*"
         policy:
     
       # CoreOS Container Registry
       - name: "quay.io/*"
         policy:
     
       # Google Container Registry
       - name: "gcr.io/*"
         policy:
     
       # Azure Container Registry
       - name: "*azurecr.io/*"
         policy:
     
       # Amazon Elastic Container Registry
       - name: "*amazonaws.com/*"
         policy:
     
       # IBM Container Registry
       - name: "registry*.bluemix.net/*"
         policy:
     

   • This policy allows images from any container registry.

     apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
     kind: ClusterImagePolicy
     metadata:
       name: ibmcloud-default-cluster-image-policy
     spec:
       repositories:
       # allow all images
       - name: "*"
         policy:
     

   • This policy denies all images from any container Registry, including the IBM Container Image Security Enforcement image.

     apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
     kind: ClusterImagePolicy
     metadata:
       name: ibmcloud-default-cluster-image-policy
     spec:
       repositories:
     

2. Apply the policy.

   kubectl apply -f policy.yaml
   

Image security enforcement by using the Red Hat® OpenShift® Container Platform

You can create an image enforcement policy by using the OpenShift Container Platform console that sets guidelines for pods that are created in your cluster. Complete the following steps to create an image policy:

1. Log in to your OpenShift cluster console.
2. From the management-security-services namespace, click Operators > Installed Operators > IBM Cloud Pak for Multicloud Management Image Security Enforcement.
3. In the ClusterImagePolicy tile of the Provided APIs section, click Create Instance. The default ClusterImagePolicy custom resource definition YAML opens in the Create ClusterImagePolicy window.
4. Click Create.

Your new ClusterImagePolicy is deployed.