2

We have AKS and using images from our private acr and dockerhub images. Could see that default security policies applied to the subscription and which giving high security vulnerabilities recommendations for the trusted images. Upon checking noticed that allowed container images regex pointing to default regex ^(.+){0}$.

This will be the reason for this alerts?. How can we make certain acr and docker hub images only secure by modifying the regex

Vowneee
  • 956
  • 10
  • 33

2 Answers2

4

This seems to work for multiple registries:

^(docker\.io|quay\.io|k8s\.gcr\.io|.+azurecr\.io).*$

Stephan
  • 66
  • 4
  • 1
    I added a regex like ^(.+.azurecr|docker).io\/.+$ and it resolved my issue for sometime. But when we deploy a nginx pod from dockerhub, again it shown as its not trusted. So whether my regex is valid only for docker.io\imagename and if we just mention the image "nginx" its not becoming trusted. Not sure why Azure Security center still reporting the issue. – Vowneee Jun 30 '21 at 19:19
  • Hi @Vowneee could you help me like where should i add the regex to solve this. am facing similar issue, but not sure where should i add the regex. would be great if u could help me on this. – Praveen sivadasan Aug 09 '22 at 12:18
1

I had the same issue and applied the following regex: ^.+nameofACR.azurecr.io/.+$ That applied correctly for the one ACR, but I haven't figured out how to apply it to the other ACR's that is used as well.

Marco
  • 11
  • 2
  • Also u may get some requirement to add docker.io.regiatry also for some of your pods.. – Vowneee Jun 04 '21 at 12:24
  • in that case we may need to allow both acr and docker.io registries to trust. Looking for the regex to make it enabled. – Vowneee Jun 08 '21 at 17:50
  • 1
    Luckily I deploy all of the containers only from ACR. I'm also looking for a way to add multiple registries. If I find any, I will post it. – Marco Jun 10 '21 at 06:33