UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MKE must only run signed images.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260942 CNTR-MK-001380 SV-260942r986164_rule Medium
Description
Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any container image to be introduced and instantiated within MKE may introduce malicious code and vulnerabilities to the platform and the hosting system. MKE registry must deny all container images except for those signed by organizational-approved sources.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-06-17

Details

Check Text ( C-64671r966181_chk )
On each node, check that MKE is configured to only run images signed by applicable Orgs and Teams.

1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

If Content Trust Settings "Run only signed images" is disabled, this is a finding.

2. Verify that the Orgs and Teams that images must be signed by in the drop-down matches the organizational policies.

If an Org or Team selected does not match organizational policies, this is a finding.

3. Verify that all images sitting on an MKE cluster are signed.

Via CLI:
Linux: As an MKE Admin, execute the following commands using a client bundle:

docker trust inspect $(docker images | awk '{print $1 ":" $2}')

Verify that all image tags in the output have valid signatures. If the images are not signed, this is a finding.
Fix Text (F-64579r966182_fix)
On each node, enable Content Trust enforcement in MKE.

1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

Under Content Trust Settings section, enable "Run only signed images".

2. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust.

Click "Add Team +" and set the appropriate Orgs and Teams that must sign images. Use the drop-down ("v") that follows to match the organizational policies.

Remove any unwanted teams by clicking the minus symbol.

Click "Save".

3. Manually remove any unsigned images sitting on an MKE cluster by executing the following:

docker rmi