Minimize Container Registries To Only Approved Ones

More Info:

Use Binary Authorization to allowlist (whitelist) only approved container registries

Risk Level

Medium

Address

Security, Operational Excellence, Best Practice

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Minimize Container Registries To Only Approved Ones” in GCP using GCP CLI, you can follow the below steps:

Open the terminal and authenticate into your GCP account using the following command:
```
gcloud auth login
```
Once you are authenticated, set the project where the container registry is located using the following command:
```
gcloud config set project [PROJECT_ID]
```
Now, list all the container registries in the project using the following command:
```
gcloud container images list
```
Identify the container registries that are not approved and need to be minimized.
Delete the unwanted container registry using the following command:
```
gcloud container images delete [IMAGE_NAME] --force-delete-tags --quiet
```
Replace [IMAGE_NAME] with the name of the container image that you want to delete.
Repeat the above step for all the unwanted container registries.
Once you have deleted all the unwanted container registries, verify that only approved container registries are present using the following command:
```
gcloud container images list
```
This will list all the container registries present in the project.

By following the above steps, you can remediate the misconfiguration “Minimize Container Registries To Only Approved Ones” in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Minimize Container Registries To Only Approved Ones” in GCP using Python, you can follow the below steps:

First, you need to get the list of all the container registries in your GCP project using the Google Cloud SDK and Python. You can use the following command to get the list of container registries:

gcloud container images list

Next, you need to create a list of approved container registries that are allowed in your GCP project.
Then, you can loop through the list of container registries and check if each registry is in the approved list or not. If it is not in the approved list, then you can delete that container registry using the following command:

gcloud container images delete [IMAGE_NAME] --force-delete-tags

You can write a Python script to automate this process. Here is an example script:

import subprocess

# List of approved container registries
approved_registries = ['gcr.io/my-project']

# Get the list of all container registries
registries = subprocess.check_output(['gcloud', 'container', 'images', 'list']).splitlines()

# Loop through the list of container registries
for registry in registries:
    # Check if the registry is in the approved list
    if registry not in approved_registries:
        # Delete the container registry
        subprocess.call(['gcloud', 'container', 'images', 'delete', registry, '--force-delete-tags'])

You can run this script periodically to ensure that only approved container registries are present in your GCP project.

Additional Reading:

https://cloud.google.com/binary-authorization/docs/policy-yaml-reference

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Minimize Container Registries To Only Approved Ones

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: