Configure image provenance using ImagePolicyWebhook admission controller

Docs > Datadog Security > OOTB Rules > Configure image provenance using ImagePolicyWebhook admission controller

Classification:

compliance

Framework:

cis-kubernetes

Control:

5.5.1

Set up the kubernetes integration.

Description

Configure image provenance for your deployment.

Rationale

Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster.

Audit

Review the pod definitions in your cluster and verify that image provenance is configured as appropriate.

Remediation

Follow the Kubernetes documentation and setup image provenance.

Impact

You need to regularly maintain your provenance configuration based on container image updates.

Default value

By default, image provenance is not set.

References

https://kubernetes.io/docs/admin/admission-controllers/#imagepolicywebhook
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/image-provenance.md
https://hub.docker.com/r/dnurmi/anchore-toolbox/
https://github.com/kubernetes/kubernetes/issues/22888

CIS controls

Version 6.18 Application Software Security