Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: restrict-image-registriesannotations:policies.kyverno.io/title: Restrict Image Registriespolicies.kyverno.io/category: Best Practices, EKS Best Practicespolicies.kyverno.io/severity: mediumpolicies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.26"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries.spec:validationFailureAction: Auditbackground: truerules:- name: validate-registriesmatch:any:- resources:kinds:- Podvalidate:message: Unknown image registry.pattern:spec:"=(ephemeralContainers)":- image: eu.foo.io/* | bar.io/*"=(initContainers)":- image: eu.foo.io/* | bar.io/*containers:- image: eu.foo.io/* | bar.io/*
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.