All Policies

Restrict Image Registries

Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This sample validates that container images only originate from the registry `eu.foo.io` or `bar.io`.

Policy Definition

/best-practices/restrict_image_registries/restrict_image_registries.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-image-registries
 5  annotations:
 6    policies.kyverno.io/title: Restrict Image Registries
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.3.0
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Images from unknown, public registries can be of dubious quality and may not be
13      scanned and secured, representing a high degree of risk. Requiring use of known, approved
14      registries helps reduce threat exposure by ensuring image pulls only come from them. This
15      sample validates that container images only originate from the registry `eu.foo.io` or
16      `bar.io`.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21  - name: validate-registries
22    match:
23      resources:
24        kinds:
25        - Pod
26    validate:
27      message: "Unknown image registry."
28      pattern:
29        spec:
30          containers:
31          - image: "eu.foo.io/* | bar.io/*"
32