All Policies
Restrict Image Registries
Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This sample validates that container images only originate from the registry `eu.foo.io` or `bar.io`.
Policy Definition
/best-practices/restrict_image_registries/restrict_image_registries.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-image-registries
5 annotations:
6 policies.kyverno.io/title: Restrict Image Registries
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/minversion: 1.3.0
10 policies.kyverno.io/subject: Pod
11 policies.kyverno.io/description: >-
12 Images from unknown, public registries can be of dubious quality and may not be
13 scanned and secured, representing a high degree of risk. Requiring use of known, approved
14 registries helps reduce threat exposure by ensuring image pulls only come from them. This
15 sample validates that container images only originate from the registry `eu.foo.io` or
16 `bar.io`.
17spec:
18 validationFailureAction: audit
19 background: true
20 rules:
21 - name: validate-registries
22 match:
23 resources:
24 kinds:
25 - Pod
26 validate:
27 message: "Unknown image registry."
28 pattern:
29 spec:
30 containers:
31 - image: "eu.foo.io/* | bar.io/*"
32