You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not able to define registry name as wildcard for imageRepositoryAllowList in controls-inputs.json
In earlier version wildcard entry was allow but in latest version seems like wildcard is not applicable
Environment
OS:
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
Version:
kubescape version
Your current version is: v3.0.3
Steps To Reproduce
1.Download kubescape controls :
kubescape download controls-inputs
2. Update the controls.json file with imageRepositoryAllowList list with domains [".*jfrog.io","434343.dkr.ecr.*.amazonaws.com"]
3.Now create a test.yaml with registry with different regions as below:
4.Now run scan :
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
Flag --fail-threshold has been deprecated, use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023
✅ Initialized scanner
✅ Loaded policies
✅ Loaded exceptions
✅ Loaded account configurations
✅ Done accessing local objects
Control: C-0075 100% |██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (3/3, 149 it/s)
✅ Done scanning File
✅ Done aggregating results
──────────────────────────────────────────────────
################################################################################
Source: tmp-kubescape2243855037.yaml
ApiVersion: v1
Kind: Pod
Name: frontend
Controls: 3 (Failed: 2, action required: 0)
┌──────────┬──────────────────────────────┬────────────────────────────────────┬──────────────────────────┐
│ Severity │ Control name │ Docs │ Assisted remediation │
├──────────┼──────────────────────────────┼────────────────────────────────────┼──────────────────────────┤
│ Medium │ Images from allowed registry │ https://hub.armosec.io/docs/c-0078 │ spec.containers[0].image │
├──────────┼──────────────────────────────┼────────────────────────────────────┼──────────────────────────┤
│ Low │ Naked pods │ https://hub.armosec.io/docs/c-0073 │ │
└──────────┴──────────────────────────────┴────────────────────────────────────┴──────────────────────────┘
┌─────────────────┬───┐
│ Controls │ 3 │
│ Passed │ 1 │
│ Failed │ 2 │
│ Action Required │ 0 │
└─────────────────┴───┘
Failed resources by severity:
┌──────────┬───┐
│ Critical │ 0 │
│ High │ 0 │
│ Medium │ 1 │
│ Low │ 1 │
└──────────┴───┘
┌──────────┬─────────────────────────────────┬──────────────────┬───────────────┬──────────────────┐
│ Severity │ Control name │ Failed resources │ All Resources │ Compliance score │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│ Medium │ Images from allowed registry │ 1 │ 1 │ 0% │
│ Low │ Naked pods │ 1 │ 1 │ 0% │
│ Low │ Image pull policy on latest tag │ 0 │ 1 │ 100% │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│ │ Resource Summary │ 1 │ 1 │ 33.33% │
└──────────┴─────────────────────────────────┴──────────────────┴───────────────┴──────────────────┘
5.Update the controls.json file with imageRepositoryAllowList list with domains with exact registry [".*jfrog.io","434343.dkr.ecr.eu-west-1.amazonaws.com"]
6.Now run scan again:
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
Flag --fail-threshold has been deprecated, use '--compliance-threshold' flag instead. Flag will be removed at 1.Dec.2023
✅ Initialized scanner
✅ Loaded policies
✅ Loaded exceptions
✅ Loaded account configurations
✅ Done accessing local objects
Control: C-0075 100% |██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (3/3, 122 it/s)
✅ Done scanning File
✅ Done aggregating results
──────────────────────────────────────────────────
################################################################################
Source: tmp-kubescape185398782.yaml
ApiVersion: v1
Kind: Pod
Name: frontend
Controls: 3 (Failed: 1, action required: 0)
┌──────────┬──────────────┬────────────────────────────────────┬──────────────────────┐
│ Severity │ Control name │ Docs │ Assisted remediation │
├──────────┼──────────────┼────────────────────────────────────┼──────────────────────┤
│ Low │ Naked pods │ https://hub.armosec.io/docs/c-0073 │ │
└──────────┴──────────────┴────────────────────────────────────┴──────────────────────┘
┌─────────────────┬───┐
│ Controls │ 3 │
│ Passed │ 2 │
│ Failed │ 1 │
│ Action Required │ 0 │
└─────────────────┴───┘
Failed resources by severity:
┌──────────┬───┐
│ Critical │ 0 │
│ High │ 0 │
│ Medium │ 0 │
│ Low │ 1 │
└──────────┴───┘
┌──────────┬─────────────────────────────────┬──────────────────┬───────────────┬──────────────────┐
│ Severity │ Control name │ Failed resources │ All Resources │ Compliance score │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│ Medium │ Images from allowed registry │ 0 │ 1 │ 100% │
│ Low │ Naked pods │ 1 │ 1 │ 0% │
│ Low │ Image pull policy on latest tag │ 0 │ 1 │ 100% │
├──────────┼─────────────────────────────────┼──────────────────┼───────────────┼──────────────────┤
│ │ Resource Summary │ 1 │ 1 │ 66.67% │
└──────────┴─────────────────────────────────┴──────────────────┴───────────────┴──────────────────┘
Expected behavior
controls.json should accept wildcard entry for registries in imageRepositoryAllowList
Actual Behavior
controls.json does not detect wildcard entry for registries in imageRepositoryAllowList
Additional context
The text was updated successfully, but these errors were encountered:
Description
Not able to define registry name as wildcard for imageRepositoryAllowList in controls-inputs.json
In earlier version wildcard entry was allow but in latest version seems like wildcard is not applicable
Environment
OS:
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
Version:
kubescape version
Your current version is: v3.0.3
Steps To Reproduce
1.Download kubescape controls :
kubescape download controls-inputs
2. Update the controls.json file with imageRepositoryAllowList list with domains
[".*jfrog.io","434343.dkr.ecr.*.amazonaws.com"]
3.Now create a test.yaml with registry with different regions as below:
4.Now run scan :
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
5.Update the controls.json file with imageRepositoryAllowList list with domains with exact registry
[".*jfrog.io","434343.dkr.ecr.eu-west-1.amazonaws.com"]
6.Now run scan again:
cat test.yaml | kubescape scan control C-0073,C-0075,C-0078 - -v -t 0 --controls-config controls.json
Expected behavior
controls.json should accept wildcard entry for registries in imageRepositoryAllowList
Actual Behavior
controls.json does not detect wildcard entry for registries in imageRepositoryAllowList
Additional context
The text was updated successfully, but these errors were encountered: