☸️CIS Kubernetes 5.5.1Rule: K8S-IMG-001high

Image policy webhook

Description

Configure ImagePolicyWebhook admission controller (or equivalent — Kyverno, OPA Gatekeeper) for image signing verification.

⚠️ Risk Impact

Without image-policy enforcement, any image from any registry can be deployed. Supply-chain attacks (compromised registries, typosquatting) succeed.

🔍 How EchelonGraph Detects This

K8S-IMG-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Deploy Kyverno or OPA Gatekeeper. Require image signing via cosign. Restrict image registries to approved list.

💀 Real-World Attack Scenario

An attacker compromised a developer's laptop + pushed a malicious image to a typosquatted registry name (e.g., 'docker.io/ngnix' instead of 'nginx'). Without admission policy, the image was deployed; attacker had K8s footprint.

💰 Cost of Non-Compliance

Supply-chain attacks in K8s: avg $4.55M (IBM 2024).

📋 Audit Questions

  • 1.Admission policy for image verification?
  • 2.Image registries restricted?
  • 3.cosign signing in CI/CD?

🎯 MITRE ATT&CK Mapping

T1195 — Supply Chain Compromise

⚡ Common Pitfalls

  • Admission policy in audit mode
  • No image signing
  • Approved registry list missing common typos

📈 Business Value

Image policy prevents supply-chain attacks at deployment.

⏱️ Effort Estimate

Manual

Kyverno/OPA setup

With EchelonGraph

EchelonGraph integrates with admission controllers

🔗 Cross-Framework References

NIST-SI-7

Automate CIS Kubernetes 5.5.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →