Enforcing container image security

By using the IBM Container Image Security Enforcement feature, you can verify the integrity of your container images before you deploy them to an IBM Cloud Private cluster.

IBM Container Image Security Enforcement controls where images are deployed from, and enforce Vulnerability Advisor (VA) policies. If an image does not meet your defined policy requirements, the pod is not deployed.

Policy definition

For each image in a repository, an image policy scope of either cluster or namespace is applied. When you deploy an application, IBM Container Image Security Enforcement checks whether the Kubernetes namespace that you are deploying to has any policy regulations that must be applied. If a namespace policy does not exist, then the cluster policy is applied. If the namespace and cluster policies overlap, the cluster scope is ignored. If neither a cluster nor a namespace scope policy exists, your deployment fails to launch. You might see an error message similar to the following message:

... release ... failed: Internal error occurred: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request:
Deny "docker.io/rook/rook:v0.7.1", no matching repositories in ClusterImagePolicy and no ImagePolicies in the "default" namespace

Note: Any pod that is deployed to namespaces that are reserved for IBM Cloud Private services, bypasses the container image security check. The following namespaces are reserved for IBM Cloud Private services:

• kube-system
• cert-manager
• istio-system

To resolve the issue, create a policy.

The policy definition is configured in the <installation_cluster>/cluster/config.yaml file or by using the Web console.

apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: <ClusterImagePolicy_or_ImagePolicy>
metadata:
  name: <crd_name>
spec:
   repositories:
    - name: <repository_name>
      policy:
        va:
          enabled: <true_or_false>

• <repository_name> - specifies the repositories to allow images from. This is the list of repositories that contain trusted content. A wildcard (*) character is allowed in the repository name. This wildcard (*) character denotes that images from all repositories are allowed or trusted. To set all your repositories to trusted, set the repository name to (*) and omit the policy subsections. Repositories by default require a policy check, except for the default mycluster.icp:8500 repository. An empty or blank repository name value blocks deployment of all images.
• When va is set to enabled: true for a container registry, any attempt to deploy pods from images in that registry is blocked. If you want to deploy images from these registries, you must remove the va policy specification. The default IBM Cloud Private built-in container registry is the only registry that supports the Vulnerability Advisor policy enforcement.

Enabling and disabling IBM Container Image Security Enforcement

IBM Container Image Security Enforcement is available as a Kubernetes chart. IBM Container Image Security Enforcement is enabled by default during the IBM Cloud Private installation.

To disable IBM Container Image Security Enforcement, during installation, add image_security_enforcement to the list of services that are disabled (management_services) in the IBM Cloud Private cluster config.yaml.

After installation of an IBM Cloud Private cluster, the cluster administrator can uninstall the Kubernetes chart.

Default policy

The default security enforcement image policy is of scope cluster. With this policy, only the images that are stored in the built-in container registry (the first one in the policy white list) and the images that are used in the IBM Cloud Private Catalog (others in the policy white list) can be used in the cluster. For example:

image-security-enforcement:
  clusterImagePolicy:
    - name: "{{ cluster_CA_domain }}:8500/*"
    - name: "registry.bluemix.net/ibm/*"
    - name: ...

Note: By default, the Vulnerability Advisor (VA) Container Image Security Enforcement doesn't apply to the Default policy.

Customizing your policy (during installation)

You can modify the image policy, either at the cluster or namespace level after you install your IBM Cloud Private cluster. In your policy, you can specify different enforcement rules for different images.

You can also pre-define the cluster scope image policy before you install IBM Cloud Private. This pre-defined setting overwrites the default cluster scope image policy during installation.

To pre-define the cluster scope image policy, before installation, modify the config.yaml file.

For example, by adding the following to the config.yaml file, you allow all the images that are in the quay.io repository to be used for deployments in your cluster.

image-security-enforcement:
  clusterImagePolicy:
    - name: "quay.io/*"
      policy:

Customizing your policy (post installation)

You can also deploy the policy as a Kubernetes object post installation of your cluster. To deploy the policy as a Kubernetes object, use the kubectl apply command.

1. Create a policy.yaml file that holds the policy specifications. The following are a few sample policy configurations that you might use for your policy.yaml file.

   • This policy allows container images from Docker Hub container Registry, CoreOS container registry, Google container registry, Azure container registry , Amazon Elastic container registry and IBM container registry.

     apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
     kind: ClusterImagePolicy
     metadata:
     name: ibmcloud-default-cluster-image-policy
     spec:
      repositories:
      # Docker hub Container Registry
       - name: "docker.io/*"
         policy:
     
       # CoreOS Container Registry
       - name: "quay.io/*"
         policy:
     
       # Google Container Registry
       - name: "gcr.io/*"
         policy:
     
       # Azure Container Registry
       - name: "*azurecr.io/*"
         policy:
     
       # Amazon Elastic Container Registry
       - name: "*amazonaws.com/*"
         policy:
     
       # IBM Container Registry
       - name: "registry*.bluemix.net/*"
         policy:
     

   • This policy allows images from any container registry.

     apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
     kind: ClusterImagePolicy
     metadata:
     name: ibmcloud-default-cluster-image-policy
     spec:
      repositories:
       # allow all images
       - name: "*"
         policy:
     

   • This policy denies all images from any container Registry, including the IBM Container Image Security Enforcement image.

     apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
     kind: ClusterImagePolicy
     metadata:
     name: ibmcloud-default-cluster-image-policy
     spec:
      repositories:
     

2. Apply the policy.

   kubectl apply -f policy.yaml
   

Image security enforcement by using the IBM Cloud Private Web console

You can create an image enforcement policy by using the IBM Cloud Private Web console that sets guidelines for pods that are created in your cluster. Complete the following steps to create an image policy:

1. Log in to the IBM Cloud Private Web console of your cluster with an ID that has cluster administrator access.

2. In the navigation menu, select Manage > Resource Security.

3. Select Image Policies. A list of available image policies is displayed.

4. Select Create Image Policy.

5. Enter a name for your image policy. The name must be a single string that only contains letters, numbers, underscores (_), and hyphens (-).

6. Select the Scope of the policy to define what resources are restricted by the policy from the following options:

   • Cluster - The policy applies to everything in the current cluster.
   • Namespace - The policy applies to everything in the specified namespace.

7. If you selected namespace as your scope, select an existing namespace from the list to identify which name.

8. Select Add Registry to specify a trusted area from which you can receive images. The default behavior is to reject all images. By adding a registry, it identifies that location as a permitted source for images.

   1. Specify a Registry URL to allow that registry as a trusted source. The Registry URL has a format similar to the following examples:
      • Permit all images from docker hub: docker.io/*
      • Permit all images from the ibmcom repository: docker.io/ibmcom/*
   2. Specify whether you want to run the Vulnerability Advisor scan policy, if you have it installed. If it is installed and this setting is enabled, the image must pass the Vulnerability Advisor scan before it is installed.
   3. Select Add to create the new registry.

9. Select Add to save and create the new image policy.

10. You can remove an image policy by selecting the Open and close the list of options (...) icon for the image policy, and then selecting Remove.