5.1.4 Minimize Container Registries to only those approved

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Use Binary Authorization to allowlist (whitelist) only approved container registries.

Rationale:

Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.

See also Recommendation 6.10.5.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Using Google Cloud Console

Go to Binary Authorization by visiting https://console.cloud.google.com/security/binary-authorization

Enable Binary Authorization API (if disabled)

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select Kubernetes cluster for which Binary Authorization is disabled

Click EDIT

Set Binary Authorization to 'Enabled'

Click SAVE

Return to the Binary Authorization by visiting https://console.cloud.google.com/security/binary-authorization

Set an appropriate policy for your cluster and enter the approved container registries under 'Image paths'.

Using Command Line

Update the cluster to enable Binary Authorization

gcloud container cluster update [CLUSTER_NAME] \
--enable-binauthz

Create a Binary Authorization Policy using the Binary Authorization Policy Reference (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance.
Import the policy file into Binary Authorization:

gcloud container binauthz policy import [YAML_POLICY]

Impact:

All container images to be deployed to the cluster must be hosted within an approved container image registry. If public registries are not on the allowlist, a process for bringing commonly used container images into an approved private registry and keeping them up to date will be required.

Default Value:

By default, Binary Authorization is disabled along with container registry allowlisting.

See Also

https://workbench.cisecurity.org/files/2764