YAMLcase
commented
4 years ago Inviting @jtackaberry @oheythere @shashank-k @cblomart from possibly related issues for comment :
Open YAMLcase opened 4 years ago
YAMLcase
commented
4 years ago Inviting @jtackaberry @oheythere @shashank-k @cblomart from possibly related issues for comment :
cblomart
commented
4 years ago The requirement to prevent pull of vulnerable images is admittedly a risk to be plundered.
I have heard remaks like: "what will happen if a new vulnerability is found and my k8s needs to redeploy the service"
Personally I think that for those you may need to exclude the ban. I still think this should be a conscious choice best made with the security team.
Know about security specialists an forensic analysis of these: I would reason that those should best be done out of band. This is meant in the sense of pipeline and automation for the mainstream usages (acceptance, quality control, production, ...).
So either this concerns:
Wouldn't it be best to rebuild it locally and do the security analysis locally? (Maybe this is a docker/k8s in a special security zone) Another option is to build/push it to a specific registry.
Same as above but you don't need to build. For open source projects maybe it is good to warn the upstream provider (did that for java and ibm containers with older alpine versions)
This is of course only my opinion ;-)
YAMLcase
commented
4 years ago @cblomart yea, there are best practices everyone should follow but in reality there is a correlation between friction and a percentage of people who will cut corners. In my case, literally every time I show a demo of Harbor to stakeholders or customers the very first question asked about the prevent vulnerable feature is "can Admin pull?" and the first comment on the answer is "well, that's not going to work".
ywk253100
commented
4 years ago We'll consider it in the future release
xaleeks
commented
4 years ago I get where you're coming from but rules only work if they are enforced. That's why you can opt-in for this feature and it's set at the project configuration level for granularity. If you're trying to pull known unsafe images either because it's a test environment or you're comfortable with the security risk that it poses, curious as to why you can't whitelist those specific CVEs using the whitelist feature. Or better yet, you can disable the option to disallow pulling vulnerable images. Am I not seeing something here?
github-actions[bot]
commented
2 years ago This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
There should be a way to allow access to any and all images regardless of being denied due to the "Prevent vulnerable images from running" option.
First use case: security specialists would like the ability to pull vulnerable images for auditing without having to jump through hoops.
Second use case: Some organizations are required to use a 3rd party vulnerability scanning service that doesn't integrate with the pluggable scanner system. Rapid7's InsightVM is one popular service.
This 3rd party scanner will typically only take the following:
Can a user set as Admin have this special pull privilege?