Profile Applicability:

  • Level 2

Description:
 In a Kubernetes environment, containers should be pulled only from trusted and approved container registries to ensure the integrity and security of the images. This check ensures that container registries are limited to a specific set of trusted, approved sources, reducing the risk of using untrusted or compromised images.

Rationale:
 Pulling container images from unapproved or public registries increases the risk of deploying insecure or malicious images into your environment. By limiting container image sources to approved registries (e.g., Azure Container Registry, Docker Hub with security policies, or private repositories), you can ensure that only vetted and trusted images are deployed in your Kubernetes cluster.

Impact:

  • Pros:

    • Enhances security by ensuring that only trusted images are used in your Kubernetes cluster.

    • Reduces the risk of vulnerabilities and attacks from malicious container images.

    • Ensures compliance with security policies and regulatory requirements.

  • Cons:

    • Requires additional setup and configuration to specify and approve trusted registries.

    • Could introduce delays or additional administrative work if the image needs are not met by the approved registries.

Default Value:
 By default, Kubernetes allows container images to be pulled from any public or private registry unless explicitly restricted. Limiting access to read-only registries requires additional configuration.

Pre-requisites:
 Ensure that Azure Active Directory (AAD) authentication is enabled for ACR and that role-based access control (RBAC) is properly configured for the registry.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access Azure Container Registry (ACR).

  2. Review the Access Control (IAM) settings under Security to verify role assignments.

  3. Ensure that the roles AcrPull (read-only) and AcrPush (write access) are assigned appropriately. Only those who need to push images should have AcrPush assigned.

Using Azure CLI:

  1. List the current role assignments for ACR to verify the access levels:

    az role assignment list --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

  2. Ensure that users and service principals who do not need to push images are only assigned the AcrPull role, while only trusted users have AcrPush.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to Azure Container Registry and select Access Control (IAM).

  2. Assign the AcrPull role to users and service principals who need read-only access to pull images from the registry.

  3. Assign the AcrPush role to users or service accounts who need to push images to the registry.

  4. Review and remove AcrPush from users or service accounts that do not need write access.

Using Azure CLI:

  1. Assign the AcrPull role to users or service principals requiring read-only access:

    az role assignment create --assignee <user-or-service-principal-id> --role AcrPull --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

  2. Assign the AcrPush role to users or service principals that need write access:

    az role assignment create --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

  3. Remove the AcrPush role from unauthorized users or service accounts with:

    az role assignment delete --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

Backout Plan:

Using Azure Console:

  1. If restricting access causes issues with workflows, revert to the previous configuration in the Azure portal by reassigning the AcrPush role to the affected users or service accounts.

Using Azure CLI:

  1. Revert changes by reassigning AcrPush to users or service principals who need write access:

    az role assignment create --assignee <user-or-service-principal-id> --role AcrPush --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>

References:

  1. Azure Container Registry (ACR) Access Control Documentation

  2. Azure Role-Based Access Control (RBAC) Documentation

  3. Azure CLI Role Assignment Documentation