-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.6.0
-
None
-
False
-
-
False
-
-
-
Rox Sprint 4.7E - Global, Rox Sprint 4.7F - Global
-
0
USER PROBLEM
The user is attempting to create a regex match for image component versions. However, no deployments are violating the policy, despite the pattern matching the image component version correctly.
CONDITIONS
Create a deployment using the Red Hat UBI:
apiVersion: apps/v1 kind: Deployment metadata: labels: app: ubi-test app.kubernetes.io/component: ubi-test app.kubernetes.io/instance: ubi-test app.kubernetes.io/name: ubi-test app.kubernetes.io/part-of: ubi-test name: ubi-test namespace: app-deploy spec: progressDeadlineSeconds: 600 replicas: 0 revisionHistoryLimit: 10 selector: matchLabels: app: ubi-test strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: labels: app: ubi-test deployment: ubi-test spec: containers: - image: registry.redhat.io/ubi8/ubi:8.3-297.1618432833 imagePullPolicy: IfNotPresent command: - "/bin/bash" - "-c" - "--" args: - "while true; do sleep 30; done;" name: ubi-test ports: - containerPort: 8080 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 30
Scan the image:
roxctl image scan -i registry.redhat.io/ubi8/ubi:8.3-297.1618432833
Create a RHACS policy that includes a regex match for the `redhat-release` image component version:
{
"policies": [
{
"id": "38a67ce6-3350-41f1-8b49-a3fead8073f5",
"name": "UBI versions",
"description": "",
"rationale": "",
"remediation": "",
"disabled": false,
"categories": [
"Kubernetes"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"notifiers": [],
"lastUpdated": "2024-12-18T21:08:15.671543011Z",
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"policySections": [
{
"sectionName": "Rule 1",
"policyGroups": [
{
"fieldName": "Image Component",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "redhat-release=r/^8\\.[0-4].*"
}
]
}
]
}
],
"mitreAttackVectors": [],
"criteriaLocked": false,
"mitreVectorsLocked": false,
"isDefault": false,
"source": "IMPERATIVE"
}
]
}
Observe that the policy does not generate any violations, despite the image containing an image component (`redhat-release`) that matches the regex.
ROOT CAUSE
- pending
FIX
- pending
- is related to
-
RFE-5848 RHACS: Minor version of baseOS on Vuln mgmt pages
-
- Under Review
-
