1. Overview

If you are using the Trusted Images Compliance feature in Kubernetes you might see images blocked, even if they are defined with the right origin name or the image id.

2. Error messages

Check the Prisma Cloud Console Logs at Manage > View Logs > Console and filter for messages with "Image operation blocked by policy" to see if your image used in one your pods is blocked.

3. Steps to confirm the issue

If you find message entries that block a container image k8s.gcr.io/pause*

DEBU 2019-05-14T15:52:42.787 pubsub_defender.go:931 Access audit {ID:ObjectIdHex("") ContainerName:/k8s_POD_mypod-28674c9bf-bbktm_default_6828ad56-761c-11e9-a781-deadbec217e9_0 ImageName:k8s.gcr.io/pause:3.1 User: Type:docker Time:2019-05-14 15:52:27.743569841 +0000 UTC Hostname:mynode.test.com FQDN: SourceIP: Allow:false RuleName:BlockImages API:create Msg:[Twistlock] Image operation blocked by policy: Block-unregistered-images, has 1 compliance issues

You can see that the Kubernetes pause container is blocked. Kubernetes creates pause containers to acquire the respective pod’s IP address and set up the network namespace for all other containers that join that pod.

4. Troubleshooting steps

Make sure you defined one additional trusted Image at Defend > Compliance > Trusted Images with the following image identifier:

k8s.gcr.io/pause:*

4.1. Additional information

For more background information on the Kubernetes Pause container and what it is used for we recommend the following article: https://www.ianlewis.org/en/almighty-pause-container

4.2. Prisma Cloud version:

Applies to all versions

5. Cautionary notes

If this is a universal setting for all containers, you may want to check with your system admin before making changes to it. For any questions with making above changes, contact Prisma Cloud Support.