An error occurred:

Check: CNTR-MK-001380

Mirantis Kubernetes Engine STIG: CNTR-MK-001380 (in version v1 r1)

Title

MKE must only run signed images. (Cat II impact)

Discussion

Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any container image to be introduced and instantiated within MKE may introduce malicious code and vulnerabilities to the platform and the hosting system. MKE registry must deny all container images except for those signed by organizational-approved sources.

Check Content

On each node, check that MKE is configured to only run images signed by applicable Orgs and Teams. 1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust. If Content Trust Settings "Run only signed images" is disabled, this is a finding. 2. Verify that the Orgs and Teams that images must be signed by in the drop-down matches the organizational policies. If an Org or Team selected does not match organizational policies, this is a finding. 3. Verify that all images sitting on an MKE cluster are signed. Via CLI: Linux: As an MKE Admin, execute the following commands using a client bundle: docker trust inspect $(docker images | awk '{print $1 ":" $2}') Verify that all image tags in the output have valid signatures. If the images are not signed, this is a finding.

Fix Text

On each node, enable Content Trust enforcement in MKE. 1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust. Under Content Trust Settings section, enable "Run only signed images". 2. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Docker Content Trust. Click "Add Team +" and set the appropriate Orgs and Teams that must sign images. Use the drop-down ("v") that follows to match the organizational policies. Remove any unwanted teams by clicking the minus symbol. Click "Save". 3. Manually remove any unsigned images sitting on an MKE cluster by executing the following: docker rmi <IMAGE_ID>

Additional Identifiers

Rule ID: SV-260942r966183_rule

Vulnerability ID: V-260942

Group Title: SRG-APP-000386-CTR-000920

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001749

The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
CCI-001774

The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-5 (3)

Signed Components
CM-7 (5)

Authorized Software / Whitelisting