v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/ibm_compliance
Overview
1Dashboards
67Controls
20Queries
0Variables
GitHub

Control: 7.1.5 Ensure IBM Cloud Kubernetes Service cluster has image pull secrets enabled

Description

Image pull secrets are credentials that authorize your cluster to pull images from a private image registry. IBM Cloud Kubernetes Service integrates with IBM Cloud Container Registry and provides pull secrets for IBM Cloud Container Registry in the default Kubernetes namespace.

Remediation

From Console

  1. Log in to the IBM Cloud console at https://cloud.ibm.com/.
  2. To view a list of your resources, go to Menu > Resource List.
  3. From your IBM Cloud resource list, select your cluster.
  4. From the Overview tab, for Image pull secrets, click Enable.
  5. In the modal, click Enable to confirm.

From Command Line:

  1. Run the following command to create a service ID for the cluster and assign the service ID an IAM Reader service role for IBM Cloud Container Registry. The command also creates an API key to impersonate the service ID credentials and stores the API key in a Kubernetes image pull secret in the default namespace of the cluster.
ibmcloud ks cluster pull-secret apply --cluster <cluster_name_or_ID>

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_7_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_7_1_5 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 7.1.5
cis_level = 1
cis_section_id = 7.1
cis_type = automated
cis_version = v1.0.0
plugin = ibm
service = IBM/Containers