Prevent Deploy of Containers which can evade defenses: Registration of Malicious Network Functions

[nandhued]

trafficstars

DS0032: Monitor for newly constructed containers that may deploy a container into an environment to facilitate execution or evade defenses.

Below is the list of possible Kyverno policies that can achieve this intent. The intent needs to pass parameters such as allowed image repositories, allowed base images, and so on.

Please review the policies once again to ensure that there is adequate coverage for this intent.

Kyverno Policy: Allowed Image Repositories Allowed Base Images Advanced Restrict Image Registries Block Stale Images Check Image Base Disallow Helm Tiller Disallow latest tag Disallow use of the SecurityContextConstraint (SCC) anyuid Only trustworthy registries set root Require Image Source Require Image pull policy always - not needed if latest tag is not used Require image pull secrets Require images use checksums Restrict image registries