Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.2.0 > Managed Services >

Image Registry and Image Scanning

N/A
Source
Kube Bench
ID
5.1
Version
gke-1.2.0

5.1 Image Registry and Image Scanning

5.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third-party provider (Manual)

Using Command Line:

gcloud services enable containerscanning.googleapis.com

5.1.2 Minimize user access to GCR (Manual)

Using Command Line: To change roles at the GCR bucket level: Firstly, run the following if read permissions are required:

gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer
gs://artifacts.[PROJECT_ID].appspot.com

Then remove the excessively privileged role (Storage Admin / Storage Object Admin / Storage Object Creator) using:

gsutil iam ch -d [TYPE]:[EMAIL-ADDRESS]:[ROLE]
gs://artifacts.[PROJECT_ID].appspot.com

where: [TYPE] can be one of the following: o user, if the [EMAIL-ADDRESS] is a Google account o serviceAccount, if [EMAIL-ADDRESS] specifies a Service account [EMAIL-ADDRESS] can be one of the following: o a Google account (for example, someone@example.com) o a Cloud IAM service account To modify roles defined at the project level and subsequently inherited within the GCR bucket, or the Service Account User role, extract the IAM policy file, modify it accordingly and apply it using:

gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]

5.1.3 Minimize cluster access to read-only for GCR (Manual)

Using Command Line: For an account explicitly granted to the bucket. First, add read access to the Kubernetes Service Account

gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer
gs://artifacts.[PROJECT_ID].appspot.com

where:
[TYPE] can be one of the following:
        o user, if the [EMAIL-ADDRESS] is a Google account
        o serviceAccount, if [EMAIL-ADDRESS] specifies a Service account
[EMAIL-ADDRESS] can be one of the following:
        o a Google account (for example, someone@example.com)
        o a Cloud IAM service account

Then remove the excessively privileged role (Storage Admin / Storage Object Admin /
Storage Object Creator) using:

  gsutil iam ch -d [TYPE]:[EMAIL-ADDRESS]:[ROLE]
  gs://artifacts.[PROJECT_ID].appspot.com

For an account that inherits access to the GCR Bucket through Project level permissions,
modify the Projects IAM policy file accordingly, then upload it using:

  gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]

5.1.4 Minimize Container Registries to only those approved (Manual)

Using Command Line: First, update the cluster to enable Binary Authorization:

gcloud container cluster update [CLUSTER_NAME] \
  --enable-binauthz

Create a Binary Authorization Policy using the Binary Authorization Policy Reference (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance. Import the policy file into Binary Authorization:

gcloud container binauthz policy import [YAML_POLICY]

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use