1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
documentation_complete: true
title: 'Ensure that the Admission Control Plugin AlwaysPullImages is not set'
{{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
description: |-
The <tt>AlwaysPullImages</tt> admission control plugin should be disabled,
since it can introduce new failure modes for control plane components if an
image registry is unreachable.
rationale: |-
Setting admission control policy to AlwaysPullImages forces every new pod
to pull the required images every time. In a multi-tenant cluster users can
be assured that their private images can only be used by those who have the
credentials to pull them. Without this admission control policy, once an
image has been pulled to a node, any pod from any user can use it simply by
knowing the image’s name, without any authorization check against the image
ownership. When this plug-in is enabled, images are always pulled prior to
starting containers, which means valid credentials are required.
However, turning on this admission plugin can introduce new kinds of
cluster failure modes. OpenShift 4 master and infrastructure components are
deployed as pods. Enabling this feature can result in cases where loss of
contact to an image registry can cause a redeployed infrastructure pod
(oauth-server for example) to fail on an image pull for an image that is
currently present on the node. We use PullIfNotPresent so that a loss of
image registry access does not prevent the pod from starting. If it
becomes PullAlways, then an image registry access outage can cause key
infrastructure components to fail.
The pull policy can be managed per container, using
<tt>imagePullPolicy</tt>.
severity: high
references:
cis@ocp4: 1.2.11
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
pcidss: Req-2.2
srg: SRG-APP-000516-CTR-001325
platform: not ocp4-on-hypershift-hosted
ocil_clause: '<tt>AlwaysPullImages</tt> is included in <tt>admissionConfig</tt>'
ocil: |-
Run the following command:
<pre>$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '.data."config.yaml"' | jq '.apiServerArguments."enable-admission-plugins"'</pre>
The output list should not contain <pre>"AlwaysPullImages"</pre>.
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
check_existence: "none_exist"
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '.apiServerArguments["enable-admission-plugins"][:]'
values:
- value: '^AlwaysPullImages$'
operation: "pattern match"
|
