Image Admission

With the Image Assurance policy, CloudGuard makes an assessment of scanned image compliance. While Image Assurance can only detect vulnerabilities in the image, Image Admission can prevent image deployment in a cluster. The image is allowed if it was scanned in one (minimum) of the related environments (ShiftLeftClosed The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed., Container RegistryClosed A collection of repositories used to store and access container images., or KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster) and found compliant.

For Image Admission, images scanned in a ShiftLeft or ContainerClosed A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry environment are considered a primary source. If no previous image sources are available, .images scanned from a Kubernetes cluster environment are considered a secondary source.

Image Assurance Policy

The Image Assurance policy can have these two actions, disabled by default:

  • Image Admission Action of Detection or Prevention to enforce non-compliant images based on the scan results.

  • Image Admission UnScanned Action of Detection or Prevention to enforce not scanned images.

To receive the correct results of the image scanning, you must use for the Kubernetes environment the same ruleset that was used for the applicable ShiftLeft, Container Registry, or Kubernetes cluster environment.

Note - Image Enforcement is done based on the image name. If the image is scanned on a ShiftLeft environment, make sure that the image is correctly tagged before the scan.

Detect or Prevent Modes

Enforcement

When your container creates a new workload, all workload images are checked if they are compliant or scanned, based on the selected action. When it updates the workload, CloudGuard checks only changed or added images if they are compliant or scanned (for each selected action).

Prevention

When you enable a Prevention policy, the Image Admission Enforcer agent blocks the deployment of workloads with non-compliant or not scanned images. The Kubernetes user receives this error message in their CLI:

Error from server: error when creating "deployment.yaml": admission webhook "cloudguard-enforcer-webhook.cloudguard.checkpoint.com" denied the request: [CloudGuard] The request has been blocked because the image 'myregistry.domain.com/my-ubuntu:v1' has not passed compliance check.

Exclusions

Use exclusions to allow registries, specific images, usernames, roles, or namespaces. For more information, see Configuring CloudGuard Exclusions.

In exclusions, use "%" as a wildcard.

  • Username - Write the exclusion as GSL, for example, %@checkpoint.com

  • Roles - Write the exclusion as GSL, for example, %myrole%

  • Groups - Write the exclusion as GSL, for example, %mygroup%

  • Namespace - Write the exclusion as GSL, for example, mynamespace%

  • Image

    • Registry - myregistry.domain.com/%

    • Tag - myregistry.domain.com/my-ubuntu:%

    • Specific image (full name) - myregistry.domain.com/my-ubuntu:v1

Actions

When you configure Image Admission, you can select one of these options:

  • Detect to generate an event on the image deployment. No CLI output, no blocked API.

  • Prevent to block the API call, send a CLI message, and generate an event on the image deployment.

  • Disable to ignore the deployment.

Based on previous assessments from CI/CD pipeline (ShiftLeft), Registry Scanning, or Kubernetes cluster, Image Admission can detect or block the deployment of the image in a cluster.

To configure Image Admission:

  1. Navigate to Workload Protection > Vulnerabilities > Policies.

  2. Click Add Policy and start to add a policy for a Kubernetes environment as in Getting Started with Image Assurance Policy.

  3. On the Image Admission page of the wizard, select the actions:

    1. For non-compliant images, select Detect, Prevent, or Disable.

    2. For not scanned images, select Detect, Prevent, or Disable.

  4. Click Next to continue the policy configuration.

  1. Navigate to Workload Protection > Vulnerabilities > Policies.

  2. Select an existing policy and click Edit on the top bar.

  3. On the Image Admission page of the wizard, change the actions:

    1. For non-compliant images, select Detect, Prevent, or Disable.

    2. For not scanned images, select Detect, Prevent, or Disable.

  4. Optionally, you can edit the policy notification.

POST /v2/kubernetes/imageAssurance/policy

Use these properties:

  • Image Admission Action - admissionControllerAction

  • Image Admission UnScanned Action - admissionControlUnScannedAction

For more information, see the API Reference Guide.

More Links