Gate images deployed to Kubernetes cluster
Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements. This can include limiting images to be deployed only from trusted registries, to have digital signature or pass vulnerability scanning and other checks. This can prevent potential adversaries from using their own malicious images in the cluster. Also, this ensures that only images that passed the security compliance policies of the organization are deployed in the cluster. Kubernetes admission controller mechanism is one of the commonly used tools for implementing such policy.
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9002 | Compromised image in registry | Ensure that only images that passed the security compliance policies are pushed to registries and deployed to Kubernetes clusters. |
| MS-TA9004 | Application vulnerability | Scan images for vulnerabilities |
| MS-TA9008 | New container | Restrict deployment of new containers from trusted supply chain |
| MS-TA9009 | Application exploit (RCE) | Block vulnerable images |
| MS-TA9011 | Sidecar injection | Restrict deployment of new containers from trusted supply chain |
| MS-TA9012 | Backdoor container | Restrict deployment of new containers from trusted supply chain |
| MS-TA9014 | Kubernetes CronJob | Restrict deployment of new containers from trusted supply chain |
| MS-TA9018 | Privileged container | Restrict deployment of new containers from trusted supply chain |
| MS-TA9023 | Pod or container name similarity | Restrict deployment of new containers from trusted supply chain |