Trusted Images in Kubernetes environments
1. Overview
If you are using the Trusted Images Compliance feature in Kubernetes you might see images blocked, even if they are defined with the right origin name or the image id.
2. Error messages
Check the Prisma Cloud Console Logs at Manage > View Logs > Console and filter for messages with "Image operation blocked by policy" to see if your image used in one your pods is blocked.
3. Steps to confirm the issue
If you find message entries that block a container image k8s.gcr.io/pause*
DEBU 2019-05-14T15:52:42.787 pubsub_defender.go:931 Access audit {ID:ObjectIdHex("") ContainerName:/k8s_POD_mypod-28674c9bf-bbktm_default_6828ad56-761c-11e9-a781-deadbec217e9_0 ImageName:k8s.gcr.io/pause:3.1 User: Type:docker Time:2019-05-14 15:52:27.743569841 +0000 UTC Hostname:mynode.test.com FQDN: SourceIP: Allow:false RuleName:BlockImages API:create Msg:[Twistlock] Image operation blocked by policy: Block-unregistered-images, has 1 compliance issues
You can see that the Kubernetes pause container is blocked. Kubernetes creates pause containers to acquire the respective pod’s IP address and set up the network namespace for all other containers that join that pod.
4. Troubleshooting steps
Make sure you defined one additional trusted Image at Defend > Compliance > Trusted Images with the following image identifier:
k8s.gcr.io/pause:*
4.1. Additional information
For more background information on the Kubernetes Pause container and what it is used for we recommend the following article: https://www.ianlewis.org/en/almighty-pause-container