Title

Older Universal Control Plane (MKE) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading. (Cat II impact)

Discussion

When upgrading either the UCP or DTR components of MKE, the newer images are pulled (or unpacked if offline) onto engine nodes in a cluster. Once the upgrade is complete, one must manually remove all old image version from the cluster nodes to meet the requirements of this control. When upgrading the Docker Engine - Enterprise component of MKE, the old package version is automatically replaced.

Check Content

Verify all outdated MKE and DTR container images have been removed from all nodes in the cluster. Via CLI: As an MKE admin, execute the following command using a client bundle: docker images --filter reference='mirantis/[ucp]*' docker images --filter reference='registry.mirantis.com/msr/[msr]*' Verify there are no tags listed older than the currently installed versions of MKE and DTR. If any of the tags listed are older than the currently installed versions of MKE and DTR, then this is a finding. If no tags are listed, this is not a finding.

Fix Text

Remove all outdated MKE and DTR container images from all nodes in the cluster: Via CLI: As an MKE admin, execute the following commands using a client bundle: docker rmi -f $(docker images --filter reference='mirantis/ucp*:[outdated_tags]' -q) docker rmi -f $(docker images --filter reference='registry.mirantis.com/msr/[msr]*:[outdated_tags]' -q)

Additional Identifiers

Rule ID: SV-260944r966189_rule

Vulnerability ID: V-260944

Group Title: SRG-APP-000454-CTR-001110

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.