Restrict Image Registries

Images from unknown registries may not be scanned and secured. Requiring use of known registries helps reduce threat exposure.

Policy Definition

/best-practices/restrict_image_registries.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
  annotations:
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/description: >-
      Images from unknown registries may not be scanned and secured. 
      Requiring use of known registries helps reduce threat exposure.
spec:
  validationFailureAction: audit
  rules:
  - name: validate-registries
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Unknown image registry."
      pattern:
        spec:
          containers:
          - image: "k8s.gcr.io/* | gcr.io/*"
Last modified January 2, 2021: fix titles (9a0d72f)