All Policies
Allowed Base Images
Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.
Policy Definition
/other/allowed-base-images/allowed-base-images.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: allowed-base-images
5 annotations:
6 policies.kyverno.io/title: Allowed Base Images
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.7.0
10 policies.kyverno.io/minversion: 1.7.0
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/subject: Pod
13 policies.kyverno.io/description: >-
14 Building images which specify a base as their origin is a good start
15 to improving supply chain security, but over time organizations
16 may want to build an allow list of specific base images which
17 are allowed to be used when constructing containers. This policy ensures
18 that a container's base, found in an OCI annotation, is in a cluster-wide
19 allow list.
20spec:
21 validationFailureAction: audit
22 rules:
23 - name: allowed-base-images
24 match:
25 any:
26 - resources:
27 kinds:
28 - Pod
29 preconditions:
30 all:
31 - key: "{{request.operation || 'BACKGROUND'}}"
32 operator: NotEquals
33 value: DELETE
34 context:
35 - name: baseimages
36 configMap:
37 name: baseimages
38 namespace: platform
39 validate:
40 message: >-
41 This container image's base is not in the approved list or is not specified. Only pre-approved
42 base images may be used. Please contact the platform team for assistance.
43 foreach:
44 - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
45 context:
46 - name: imageData
47 imageRegistry:
48 reference: "{{ element.image }}"
49 - name: basename
50 variable:
51 jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"
52 default: ''
53 deny:
54 conditions:
55 all:
56 - key: "{{ basename }}"
57 operator: AnyNotIn
58 value: "{{ baseimages.data.allowedbaseimages }}"