MKE must only run signed images.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260942	CNTR-MK-001380	SV-260942r986164_rule		Medium

Description
Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any container image to be introduced and instantiated within MKE may introduce malicious code and vulnerabilities to the platform and the hosting system. MKE registry must deny all container images except for those signed by organizational-approved sources.

Description

Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any container image to be introduced and instantiated within MKE may introduce malicious code and vulnerabilities to the platform and the hosting system. MKE registry must deny all container images except for those signed by organizational-approved sources.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-06-17

Details

Check Text ( C-64671r966181_chk )
On each node, check that MKE is configured to only run images signed by applicable Orgs and Teams. 1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust. If Content Trust Settings "Run only signed images" is disabled, this is a finding. 2. Verify that the Orgs and Teams that images must be signed by in the drop-down matches the organizational policies. If an Org or Team selected does not match organizational policies, this is a finding. 3. Verify that all images sitting on an MKE cluster are signed. Via CLI: Linux: As an MKE Admin, execute the following commands using a client bundle: docker trust inspect $(docker images \| awk '{print $1 ":" $2}') Verify that all image tags in the output have valid signatures. If the images are not signed, this is a finding.

Check Text ( C-64671r966181_chk )

On each node, check that MKE is configured to only run images signed by applicable Orgs and Teams.

1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

If Content Trust Settings "Run only signed images" is disabled, this is a finding.

2. Verify that the Orgs and Teams that images must be signed by in the drop-down matches the organizational policies.

If an Org or Team selected does not match organizational policies, this is a finding.

3. Verify that all images sitting on an MKE cluster are signed.

Via CLI:
Linux: As an MKE Admin, execute the following commands using a client bundle:

docker trust inspect $(docker images | awk '{print $1 ":" $2}')

Verify that all image tags in the output have valid signatures. If the images are not signed, this is a finding.

Fix Text (F-64579r966182_fix)
On each node, enable Content Trust enforcement in MKE. 1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust. Under Content Trust Settings section, enable "Run only signed images". 2. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust. Click "Add Team +" and set the appropriate Orgs and Teams that must sign images. Use the drop-down ("v") that follows to match the organizational policies. Remove any unwanted teams by clicking the minus symbol. Click "Save". 3. Manually remove any unsigned images sitting on an MKE cluster by executing the following: docker rmi

Fix Text (F-64579r966182_fix)

On each node, enable Content Trust enforcement in MKE.

1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

Under Content Trust Settings section, enable "Run only signed images".

2. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

Click "Add Team +" and set the appropriate Orgs and Teams that must sign images. Use the drop-down ("v") that follows to match the organizational policies.

Remove any unwanted teams by clicking the minus symbol.

Click "Save".

3. Manually remove any unsigned images sitting on an MKE cluster by executing the following:

docker rmi