Skip to content

Commit

Permalink
🧹 Fix: Container image pull should be consistent (#406)
Browse files Browse the repository at this point in the history 
Adds `props` to exclude containers from some checks based on image
digest:
```
    props:
      - uid: excludedByFixedImages
        title: Exclude containers from the check when using fixed images using hash values.
        mql: |
          return [
            # Add container images <image-name>@<digest>
            # image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
          ]
```

---------

Signed-off-by: Manuel Weber <[email protected]>
  • Loading branch information
@mm-weber
mm-weber authored Jun 11, 2024
1 parent c393a41 commit a141f86
Showing 1 changed file with 101 additions and 15 deletions.
116 changes: 101 additions & 15 deletions core/mondoo-kubernetes-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4250,10 +4250,24 @@ queries:
- uid: mondoo-kubernetes-security-pod-imagepull
title: Container image pull should be consistent
impact: 60
props:
- uid: excludedByFixedImages
title: Exclude containers from the check when using fixed images using hash values.
mql: |
return [
# Add container images <image-name>@<digest>
# image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
]
mql: |
k8s.pod.ephemeralContainers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.pod.initContainers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.pod.containers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.pod.ephemeralContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.pod.initContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.pod.containers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
docs:
desc: |
It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).
Expand Down Expand Up @@ -4290,9 +4304,21 @@ queries:
- uid: mondoo-kubernetes-security-cronjob-imagepull
title: Container image pull should be consistent
impact: 60
props:
- uid: excludedByFixedImages
title: Exclude containers from the check when using fixed images using hash values.
mql: |
return [
# Add container images <image-name>@<digest>
# image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
]
mql: |
k8s.cronjob.initContainers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.cronjob.containers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.cronjob.initContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.cronjob.containers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
docs:
desc: |
It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).
Expand Down Expand Up @@ -4329,9 +4355,21 @@ queries:
- uid: mondoo-kubernetes-security-statefulset-imagepull
title: Container image pull should be consistent
impact: 60
props:
- uid: excludedByFixedImages
title: Exclude containers from the check when using fixed images using hash values.
mql: |
return [
# Add container images <image-name>@<digest>
# image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
]
mql: |
k8s.statefulset.initContainers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.statefulset.containers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.statefulset.initContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.statefulset.containers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
docs:
desc: |
It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).
Expand Down Expand Up @@ -4368,9 +4406,21 @@ queries:
- uid: mondoo-kubernetes-security-deployment-imagepull
title: Container image pull should be consistent
impact: 60
props:
- uid: excludedByFixedImages
title: Exclude containers from the check when using fixed images using hash values.
mql: |
return [
# Add container images <image-name>@<digest>
# image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
]
mql: |
k8s.deployment.initContainers.all( imagePullPolicy == 'Always' && correctImage = image != /:latest/ && image.contains(':') == true )
k8s.deployment.containers.all( imagePullPolicy == 'Always' && correctImage = image != /:latest/ && image.contains(':') == true )
k8s.deployment.initContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && correctImage = image != /:latest/ && image.contains(':') == true )
k8s.deployment.containers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && correctImage = image != /:latest/ && image.contains(':') == true )
docs:
desc: |
It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).
Expand Down Expand Up @@ -4407,9 +4457,21 @@ queries:
- uid: mondoo-kubernetes-security-job-imagepull
title: Container image pull should be consistent
impact: 60
props:
- uid: excludedByFixedImages
title: Exclude containers from the check when using fixed images using hash values.
mql: |
return [
# Add container images <image-name>@<digest>
# image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
]
mql: |
k8s.job.initContainers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.job.containers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.job.initContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.job.containers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
docs:
desc: |
It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).
Expand Down Expand Up @@ -4446,9 +4508,21 @@ queries:
- uid: mondoo-kubernetes-security-replicaset-imagepull
title: Container image pull should be consistent
impact: 60
props:
- uid: excludedByFixedImages
title: Exclude containers from the check when using fixed images using hash values.
mql: |
return [
# Add container images <image-name>@<digest>
# image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
]
mql: |
k8s.replicaset.containers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.replicaset.initContainers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.replicaset.containers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.replicaset.initContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
docs:
desc: |
It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).
Expand Down Expand Up @@ -4485,9 +4559,21 @@ queries:
- uid: mondoo-kubernetes-security-daemonset-imagepull
title: Container image pull should be consistent
impact: 60
props:
- uid: excludedByFixedImages
title: Exclude containers from the check when using fixed images using hash values.
mql: |
return [
# Add container images <image-name>@<digest>
# image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
]
mql: |
k8s.daemonset.containers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.daemonset.initContainers.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.daemonset.containers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
k8s.daemonset.initContainers
.where(image.in(props.excludedByFixedImages) != true)
.all( imagePullPolicy == 'Always' && image != /:latest/ && image.contains(':') == true )
docs:
desc: |
It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).
Expand Down

0 comments on commit a141f86

Please sign in to comment.