Protect against mis-use of images present on a node

Protect against mis-use of images present on a node 

The Center for Internet Security (CIS) Kubernetes benchmark recommends that the AlwaysPullImages admission control policy be set to "force every new pod to pull the required images every time." This is so that "users can be assured that their private images can only be used by those who have the credentials to pull them."

When an image is deployed to OCP 4, a copy is stored on the node it is deployed to in /var/lib/containers. If the image is already present on a node (pulled for a different pod), and if I know the name or the sha and I can run on the same node, I can use the image for my pod that does not have permissions from the image registry to use the image

OCP 4 intentionally does not set AlwaysPullImages as turning on this admission plugin can introduce new kinds of cluster failure modes. Self-hosted infrastructure components are still pods.  This means that enabling this feature can result in cases where a loss of contact to an image registry can cause a redeployed infrastructure pod (oauth-server for example) to fail on an image pull for an image that is currently present on the node.  We use PullIfNotPresent so that a loss of image registry access does not prevent the pod from starting.  If it becomes PullAlways, then an image registry access outage can cause key infrastructure components to fail.

As this cannot be a default or a recommendation, we need to find an alternative way to protect against misuse of container images stored in /var/lib/containers.

Note that at this time, there is not a clear solution.

1. The optional ability to apply this policy to worker nodes might be useful, but is not appropriate for a cluster where workloads can be deployed on master nodes. 
2. Given that OCP has the option to set Image pull policy per container, we might explore ways to enhance that capability to meet the CIS guidance for workload containers. Default behavior: if a container’s imagePullPolicy parameter is not specified, OpenShift Container Platform sets it based on the image’s tag. If the tag is latest, OpenShift Container Platform defaults imagePullPolicy to Always. Otherwise, OpenShift Container Platform defaults imagePullPolicy to IfNotPresent. [Image pull policy - Managing images | Images | OpenShift Container Platform 4.3|https://docs.openshift.com/container-platform/4.3/openshift_images/managing_images/image-pull-policy.html] Manually setting this per application / workload container is not scalable.