All Policies

Advanced Restrict Image Registries in CEL expressions

In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace.

Policy Definition

/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: advanced-restrict-image-registries
 5  annotations:
 6    policies.kyverno.io/title: Advanced Restrict Image Registries in CEL expressions
 7    policies.kyverno.io/category: Other in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      In instances where a ClusterPolicy defines all the approved image registries
15      is insufficient, more granular control may be needed to set permitted registries,
16      especially in multi-tenant use cases where some registries may be based on
17      the Namespace. This policy shows an advanced version of the Restrict Image Registries
18      policy which gets a global approved registry from a ConfigMap and, based upon an
19      annotation at the Namespace level, gets the registry approved for that Namespace.
20spec:
21  validationFailureAction: Audit
22  background: false
23  rules:
24    - name: validate-corp-registries
25      match:
26        any:
27        - resources:
28            kinds:
29            - Pod
30            operations:
31            - CREATE
32            - UPDATE
33      validate:
34        cel:
35          paramKind: 
36            apiVersion: v1
37            kind: ConfigMap
38          paramRef: 
39            name: clusterregistries
40            namespace: default
41            parameterNotFoundAction: Deny
42          variables:
43            - name: allContainers
44              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
45            - name: nsregistries
46              expression: >-
47                namespaceObject.metadata.?annotations[?'corp.com/allowed-registries'].orValue(' ')
48            - name: clusterregistries
49              expression: "params.data[?'registries'].orValue(' ')"
50          expressions:
51            - expression: "variables.allContainers.all(container, container.image.startsWith(variables.nsregistries) || container.image.startsWith(variables.clusterregistries))"
52              message: This Pod names an image that is not from an approved registry.
Create policy issue