turbot/ibm_compliance

Control: 7.1.5 Ensure IBM Cloud Kubernetes Service cluster has image pull secrets enabled

Description

Image pull secrets are credentials that authorize your cluster to pull images from a private image registry. IBM Cloud Kubernetes Service integrates with IBM Cloud Container Registry and provides pull secrets for IBM Cloud Container Registry in the default Kubernetes namespace.

Remediation

From Console

  1. Log in to the IBM Cloud console at https://cloud.ibm.com/.
  2. To view a list of your resources, go to Menu > Resource List.
  3. From your IBM Cloud resource list, select your cluster.
  4. From the Overview tab, for Image pull secrets, click Enable.
  5. In the modal, click Enable to confirm.

From Command Line:

  1. Run the following command to create a service ID for the cluster and assign the service ID an IAM Reader service role for IBM Cloud Container Registry. The command also creates an API key to impersonate the service ID credentials and stores the API key in a Kubernetes image pull secret in the default namespace of the cluster.
ibmcloud ks cluster pull-secret apply --cluster <cluster_name_or_ID>

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_7_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_7_1_5 --share

SQL

This control uses a named query:

manual_control

Tags