All Policies
Allowed Image Repositories
In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list.
Policy Definition
/other/allowed-image-repos/allowed-image-repos.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: allowed-image-repos
5 annotations:
6 policies.kyverno.io/title: Allowed Image Repositories
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.9.0
10 kyverno.io/kubernetes-version: "1.24"
11 policies.kyverno.io/subject: Pod
12 policies.kyverno.io/description: >-
13 In addition to restricting the image registry from which images are pulled, in some cases
14 and environments it may be required to also restrict which image repositories are used,
15 for example in some restricted Namespaces. This policy ensures that the only allowed
16 image repositories present in a given Pod, across any container type, come from the
17 designated list.
18spec:
19 validationFailureAction: audit
20 background: false
21 rules:
22 - name: good-repos
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 validate:
29 message: >-
30 All images in this Pod must come from an authorized repository.
31 deny:
32 conditions:
33 all:
34 - key: "{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}"
35 operator: AnyNotIn
36 value:
37 - myknownimage
38 - kyverno