Advanced Restrict Image Registries

In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace.

Policy Definition

/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: advanced-restrict-image-registries
 5  annotations:
 6    policies.kyverno.io/title: Advanced Restrict Image Registries
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      In instances where a ClusterPolicy defines all the approved image registries
15      is insufficient, more granular control may be needed to set permitted registries,
16      especially in multi-tenant use cases where some registries may be based on
17      the Namespace. This policy shows an advanced version of the Restrict Image Registries
18      policy which gets a global approved registry from a ConfigMap and, based upon an
19      annotation at the Namespace level, gets the registry approved for that Namespace.
20spec:
21  validationFailureAction: Audit
22  background: false
23  rules:
24    - name: validate-corp-registries
25      match:
26        any:
27        - resources:
28            kinds:
29            - Pod
30      context:
31        # Get the value of the Namespace annotation called `corp.com/allowed-registries` and store. The value
32        # must end with a wildcard. Currently assumes there is only a single registry name in the value.
33        - name: nsregistries
34          apiCall:
35            urlPath: "/api/v1/namespaces/{{request.namespace}}"
36            jmesPath: "metadata.annotations.\"corp.com/allowed-registries\" || ''"
37        # Get the ConfigMap in the `default` Namespace called `clusterregistries` and store. The value of the key
38        # must end with a wildcard. Currently assumes there is only a single registry name in the value.
39        - name: clusterregistries
40          configMap:
41            name: clusterregistries
42            namespace: default
43      preconditions:
44        any:
45        - key: "{{request.operation || 'BACKGROUND'}}"
46          operator: AnyIn
47          value:
48          - CREATE
49          - UPDATE
50      validate:
51        message: This Pod names an image that is not from an approved registry.
52        foreach:
53        # Create a flattened array of all containers in the Pod.
54        - list: "request.object.spec.[initContainers, ephemeralContainers, containers][]"
55          deny:
56            conditions:
57              all:
58                # Loop over every image and deny the Pod if any image doesn't match either the allowed registry in the
59                # cluster ConfigMap or the annotation on the Namespace where the Pod is created.
60                - key: "{{element.image}}"
61                  operator: NotEquals
62                  value: "{{nsregistries}}"
63                - key: "{{element.image}}"
64                  operator: NotEquals
65                  value: "{{clusterregistries.data.registries}}"

Create policy issue