All Policies

Restrict Image Registries

Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries.

Policy Definition

/best-practices/restrict-image-registries/restrict-image-registries.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-image-registries
 5  annotations:
 6    policies.kyverno.io/title: Restrict Image Registries
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.6.0
10    kyverno.io/kubernetes-version: "1.26"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Images from unknown, public registries can be of dubious quality and may not be
14      scanned and secured, representing a high degree of risk. Requiring use of known, approved
15      registries helps reduce threat exposure by ensuring image pulls only come from them. This
16      policy validates that container images only originate from the registry `eu.foo.io` or
17      `bar.io`. Use of this policy requires customization to define your allowable registries.      
18spec:
19  validationFailureAction: audit
20  background: true
21  rules:
22  - name: validate-registries
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    validate:
29      message: "Unknown image registry."
30      pattern:
31        spec:
32          =(ephemeralContainers):
33          - image: "eu.foo.io/* | bar.io/*"
34          =(initContainers):
35          - image: "eu.foo.io/* | bar.io/*"
36          containers:
37          - image: "eu.foo.io/* | bar.io/*"