azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard

Published 20 hours ago verified publisher icon Azure

Container images should be deployed from trusted registries only: Query should be done on Image ID instead of Image

Open StephanZaat opened this issue 3 years ago • 2 comments

Details of the scenario you tried and the problem that is occurring

The policy seems to trigger on the Image value which does not show the registry in the Image section. The Image ID shows the registry.

Verbose logs showing the problem

Containers: loki: Container ID: containerd://caa76775c202876a78fecd85886b6ebee53f1827b4853ea49835078c54207013 Image: grafana/loki:2.2.0 Image ID: docker.io/grafana/loki@sha256:83649aa867ffdc353cea17e9465bfc26b1f172c78c19ac906400b5028576c3f3

and:

Init Containers: init-chown-data: Container ID: containerd://b0a6f257580d44ab864390c64549c1b417582eb4f4663a20825a3391c6c39ae0 Image: busybox:1.31.1 Image ID: docker.io/library/busybox@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209

Suggested solution to the issue

Query on Image ID instead of Image.

If policy is Guest Configuration - details about target node

N/A

StephanZaat avatar Jun 30 '21 15:06 StephanZaat

Adding @miwithro to triage this issue.

RamyasreeChakka avatar Jul 08 '21 06:07 RamyasreeChakka 

 - containerID: containerd://21053c86855ad16dfbe7a759f45225f7ec523e120e983e29d2c8aa8289a5cab7
    image: docker.io/rancher/local-path-provisioner:v0.0.14
    imageID: sha256:e422121c9c5f97623245b7e600eeb5e223ee623f21fa04da985ae71057d8d70b

imageID will not always show the registry of docker.io. It will cause confusion if the unstable function

fseldow avatar Mar 31 '22 03:03 fseldow

Any updates on this issue?

kenieva avatar Oct 13 '22 18:10 kenieva

Thx for the suggestion and idea. Currently will not adopt the suggestion because it cannot abosolutely solve the docker.io missing and will casue some usage confusions

fseldow avatar Oct 14 '22 09:10 fseldow