漏洞描述
Ensures that Kubernetes deployments have the image pull policy set to 'Always', which guarantees the most up-to-date version of the image is used.
k8s-image-pull-policy-always: Image Pull Policy set to Always
PoC代码[已公开]
id: k8s-image-pull-policy-always
info:
name: Image Pull Policy set to Always
author: princechaddha
severity: low
description: Ensures that Kubernetes deployments have the image pull policy set to 'Always', which guarantees the most up-to-date version of the image is used.
impact: |
Not setting the image pull policy to 'Always' may cause pods to use outdated versions of images, which can lead to security vulnerabilities if the images contain fixes or updates.
remediation: Update the image pull policy in Kubernetes Deployments to 'Always' to ensure that the latest container images are always used.
reference:
- https://kubernetes.io/docs/concepts/containers/images/#updating-images
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker,k8s-cluster-security
flow: |
code(1);
for (let deployment of template.items) {
set("deployment",deployment)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get deployments --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[]'
javascript:
- code: |
deployment = JSON.parse(template.deployment);
if (!deployment.spec.template.spec.containers.every(container => container.imagePullPolicy === 'Always')) {
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' does not have image pull policy set to Always.`);
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 490a0046304402206b99c38b3c7a728baebe728ad16916a649d1322ef1140913ac8a43488309469302202a8458215efee01be4f2529788717cc7d34fd874acf2b990e5fc46bf99cf79d4:922c64590222798bb761d5b6d8e72950