turbot/ibm_compliance

Control: 7.2.1 Block deployments of vulnerable images to Kubernetes clusters

Description

Vulnerability Advisor provides security management for IBM Cloud Container Registry, generating a security status report that includes suggested fixes and best practices. Images for which Vulnerability Advisor reports vulnerabilities should not be deployed to Kubernetes clusters. Container Image Security Enforcement (CISE) retrieves information from Vulnerability Advisor to block deployments of vulnerable images.

Remediation

  1. Set the cluster as the context for this session.
ibmcloud ks cluster config --cluster <cluster_name_or_ID>
  1. Set up Helm in your cluster.
  2. Add the IBM chart repository to your Helm client.
helm repo add iks-charts https://icr.io/helm/iks-charts
  1. Install the Container Image Security Enforcement Helm chart into your cluster.

For Helm 2:

helm install --name cise iks-charts/ibmcloud-image-enforcement

For Helm 3:

helm install cise iks-charts/ibmcloud-image-enforcement
  1. Container Image Security Enforcement is now installed, and applies the default security policy for all Kubernetes namespaces in your cluster. For information about customizing the security policy for Kubernetes namespaces in your cluster, or the cluster overall, see Customizing policies.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_7_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_7_2_1 --share

SQL

This control uses a named query:

manual_control

Tags