- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Creating an Enterprise Edition Instance
- Access Configuration
- Manage Image Repository
- Image Distribution
- Image Security
- Synchronization and Replication
- Configuring Image Tag Retention
- Image Cleanup
- DevOps
- OCI Artifacts Management
- Operation Guide for TCR Individual
- Terminating/Returning Instances
- Practical Tutorial
- TCR Personal migration
- TKE Clusters Use the TCR Addon to Enable Secret-free Pulling of Container Images via Private Network
- Synchronizing Images to TCR Enterprise Edition from External Harbor
- TKE Serverless Clusters Pull TCR Container Images
- Image Data Synchronization and Replication Between Multiple Platforms in Hybrid Cloud
- Nearby Access Through Image Synchronization Between Multiple Global Regions
- Using Custom Domain Name and CCN to Implement Cross-Region Private Network Access
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance Management APIs
- DescribeInstances
- DescribeInstanceStatus
- CreateInstanceToken
- CreateInstance
- ModifyInstanceToken
- DescribeInstanceToken
- DeleteInstanceToken
- DeleteInstance
- RenewInstance
- CheckInstanceName
- CheckInstance
- ModifyInstance
- DescribeRegions
- DescribeInstanceCustomizedDomain
- DescribeImageAccelerateService
- DeleteInstanceCustomizedDomain
- DeleteImageAccelerateService
- CreateInstanceCustomizedDomain
- CreateImageAccelerationService
- Namespace APIs
- Image Repository APIs
- Custom Account APIs
- Trigger APIs
- Instance Synchronization APIs
- Access Control APIs
- Helm Chart APIs
- Tag Retention APIs
- Data Types
- Error Codes
- FAQs
- Related Agreement
- Contact Us
- Glossary
- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Creating an Enterprise Edition Instance
- Access Configuration
- Manage Image Repository
- Image Distribution
- Image Security
- Synchronization and Replication
- Configuring Image Tag Retention
- Image Cleanup
- DevOps
- OCI Artifacts Management
- Operation Guide for TCR Individual
- Terminating/Returning Instances
- Practical Tutorial
- TCR Personal migration
- TKE Clusters Use the TCR Addon to Enable Secret-free Pulling of Container Images via Private Network
- Synchronizing Images to TCR Enterprise Edition from External Harbor
- TKE Serverless Clusters Pull TCR Container Images
- Image Data Synchronization and Replication Between Multiple Platforms in Hybrid Cloud
- Nearby Access Through Image Synchronization Between Multiple Global Regions
- Using Custom Domain Name and CCN to Implement Cross-Region Private Network Access
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance Management APIs
- DescribeInstances
- DescribeInstanceStatus
- CreateInstanceToken
- CreateInstance
- ModifyInstanceToken
- DescribeInstanceToken
- DeleteInstanceToken
- DeleteInstance
- RenewInstance
- CheckInstanceName
- CheckInstance
- ModifyInstance
- DescribeRegions
- DescribeInstanceCustomizedDomain
- DescribeImageAccelerateService
- DeleteInstanceCustomizedDomain
- DeleteImageAccelerateService
- CreateInstanceCustomizedDomain
- CreateImageAccelerationService
- Namespace APIs
- Image Repository APIs
- Custom Account APIs
- Trigger APIs
- Instance Synchronization APIs
- Access Control APIs
- Helm Chart APIs
- Tag Retention APIs
- Data Types
- Error Codes
- FAQs
- Related Agreement
- Contact Us
- Glossary
Blocking the Deployment of High-Risk Images
Last updated: 2022-05-09 12:41:24
Overview
The Tencent Container Registry (TCR) Enterprise supports security scanning of managed container images and can generate scanning reports, expose potential security vulnerabilities in container images, and provide suggestions for fixing them. Container image security is an important part of cloud native application delivery security. Timely security scanning of uploaded container images and blocking application deployment based on the scanning results can effectively reduce the risk of vulnerabilities in the production environment.
The image deployment blocking feature is configured at the namespace level. You can enable it, and configure the blocking policy and the ignorable image vulnerabilities. Then, if a container client is trying to pull images that meet the blocking policy, the pulling will be denied and error reports will be returned.
Prerequisites
Before using the image deployment blocking feature, you need to perform the following operations:
- Create a TCR Enterprise Instance.
- If you are using a sub-account, you must have granted the sub-account operation permissions for the corresponding instance. For more information, see Example of Authorization Solution of TCR Enterprise.
Directions
Configuring the blocking policy
- Log in to the TCR console and select Namespace in the left sidebar.
- On the "Namespace" page, click the name of the instance for which you want to configure the blocking policy to go to the namespace details page.
- On the "Deployment security" page, enable the blocking and configure the vulnerability level to be blocked.
Configure the allowlist of vulnerabilities
After enabling the blocking, you can configure the allowlist of vulnerabilities. Enter one or more CVE IDs and separate them with commas. Then, if the image ID is contained in the security scanning result, it will be ignored by the blocking policy. That means, if there is a high-risk vulnerability in the image, and the vulnerability is configured in the allowlist, the image can be pulled normally even if it is configured to block the pulling of images with high-risk vulnerabilities.
Yes
No
Was this page helpful?