We have AKS and using images from our private acr and dockerhub images. Could see that default security policies applied to the subscription and which giving high security vulnerabilities recommendations for the trusted images. Upon checking noticed that allowed container images regex pointing to default regex ^(.+){0}$.
This will be the reason for this alerts?. How can we make certain acr and docker hub images only secure by modifying the regex
On
I had the same issue and applied the following regex: ^.+nameofACR.azurecr.io/.+$ That applied correctly for the one ACR, but I haven't figured out how to apply it to the other ACR's that is used as well.
On
I would use a regex like this:
^(docker\.io/somename|somename.azurecr\.io)/.*$
and be as specific as possible to limit the attack surface.
If you omit the last / as in
^(docker\.io/somename|somename.azurecr\.io).*$
you will allow a container registry like somename.azurecr.io.evildomain.com.
If you allow any Azure Container Registry as in
... [^\/]+\.azurecr\.io ...
an attacker can just setup any Azure Container Registry with a hostile image, and the rule will not trigger.
This seems to work for multiple registries:
^(docker\.io|quay\.io|k8s\.gcr\.io|[^\/]+\.azurecr\.io).*$