4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Configure Image Provenance for your deployment.

Rationale:

Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster.

See also Recommendation 6.10.5 for GKE specifically.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Follow the Kubernetes documentation and setup image provenance.
See also Recommendation 6.10.5 for GKE specifically.

Impact:

You need to regularly maintain your provenance configuration based on container image updates.

Default Value:

By default, image provenance is not set.

See Also

https://workbench.cisecurity.org/files/2764