Control: 7.2.1 Block deployments of vulnerable images to Kubernetes clusters
Vulnerability Advisor provides security management for IBM Cloud Container Registry, generating a security status report that includes suggested fixes and best practices. Images for which Vulnerability Advisor reports vulnerabilities should not be deployed to Kubernetes clusters. Container Image Security Enforcement (CISE) retrieves information from Vulnerability Advisor to block deployments of vulnerable images.
- Set the cluster as the context for this session.
ibmcloud ks cluster config --cluster <cluster_name_or_ID>
- Set up Helm in your cluster.
- Add the IBM chart repository to your Helm client.
helm repo add iks-charts https://icr.io/helm/iks-charts
- Install the Container Image Security Enforcement Helm chart into your cluster.
For Helm 2:
helm install --name cise iks-charts/ibmcloud-image-enforcement
For Helm 3:
helm install cise iks-charts/ibmcloud-image-enforcement
- Container Image Security Enforcement is now installed, and applies the default security policy for all Kubernetes namespaces in your cluster. For information about customizing the security policy for Kubernetes namespaces in your cluster, or the cluster overall, see Customizing policies.
Run the control in your terminal:
steampipe check ibm_compliance.control.cis_v100_7_2_1
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share ibm_compliance.control.cis_v100_7_2_1
This control uses a named query:manual_control