Back to Policies

Advanced Restrict Image Registries

In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: advanced-restrict-image-registries
  annotations:
    policies.kyverno.io/title: Advanced Restrict Image Registries
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.6.0
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: validate-corp-registries
      match:
        any:
          - resources:
              kinds:
                - Pod
      context:
        - name: nsregistries
          apiCall:
            urlPath: /api/v1/namespaces/{{request.namespace}}
            jmesPath: metadata.annotations."corp.com/allowed-registries" || ''
        - name: clusterregistries
          configMap:
            name: clusterregistries
            namespace: default
      preconditions:
        any:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: AnyIn
            value:
              - CREATE
              - UPDATE
      validate:
        message: This Pod names an image that is not from an approved registry.
        foreach:
          - list: request.object.spec.[initContainers, ephemeralContainers, containers][]
            deny:
              conditions:
                all:
                  - key: "{{element.image}}"
                    operator: NotEquals
                    value: "{{nsregistries}}"
                  - key: "{{element.image}}"
                    operator: NotEquals
                    value: "{{clusterregistries.data.registries}}"

Related Policies

ValidateMedium

Application Field Validation in CEL expressions

This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application