Always Pull Images Admission Control Plugin Not Set

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-supply-004
  labels:
    severity: "high"
    category: "supply"
  annotations:
    rules.spotter.dev/title: "Always Pull Images Admission Control Plugin Not Set"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-829"
    rules.spotter.dev/description: "The `AlwaysPullImages` admission controller should be enabled to ensure that images are always pulled from the registry, preventing the use of stale or compromised cached images."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
        versions:
          - v1
        kinds:
          - Pod
  cel: |
    has(object.spec.containers) && object.spec.containers.exists(c,
      (has(c.command) && c.command.exists(cmd, cmd == "kube-apiserver")) &&
      !(has(c.args) && c.args.exists(arg, arg.contains("--enable-admission-plugins=") && arg.contains("AlwaysPullImages"))) &&
      !(has(c.command) && c.command.exists(cmd, cmd.contains("--enable-admission-plugins=") && cmd.contains("AlwaysPullImages")))
    )
  remediation:
    manual: "Enable the `AlwaysPullImages` admission plugin in the kube-apiserver configuration."
  references:
    - title: "Kubernetes Admission Controllers"
      url: "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
          args: ["--enable-admission-plugins=AlwaysAdmit"]
      restartPolicy: OnFailure

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
          args: ["--enable-admission-plugins=AlwaysPullImages", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
      restartPolicy: OnFailure

- name: secure sample 2 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver","--enable-admission-plugins=AlwaysPullImages", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
          args: []
      restartPolicy: OnFailure

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-supply-004
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-supply-004
spec:
  # Add your VAP configuration here

Rule Metadata

Always Pull Images Admission Control Plugin Not Set

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub