All Policies

Allowed Base Images

Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.

Policy Definition

/other/allowed-base-images/allowed-base-images.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: allowed-base-images
 5  annotations:
 6    policies.kyverno.io/title: Allowed Base Images
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.7.0
10    policies.kyverno.io/minversion: 1.7.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Building images which specify a base as their origin is a good start
15      to improving supply chain security, but over time organizations
16      may want to build an allow list of specific base images which
17      are allowed to be used when constructing containers. This policy ensures
18      that a container's base, found in an OCI annotation, is in a cluster-wide
19      allow list.      
20spec:
21  validationFailureAction: audit
22  rules:
23  - name: allowed-base-images
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: NotEquals
33        value: DELETE
34    context:
35    - name: baseimages
36      configMap:
37        name: baseimages
38        namespace: platform
39    validate:
40      message: >-
41        This container image's base is not in the approved list or is not specified. Only pre-approved
42        base images may be used. Please contact the platform team for assistance.        
43      foreach:
44      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
45        context:
46        - name: imageData
47          imageRegistry: 
48            reference: "{{ element.image }}"
49        - name: basename
50          variable:
51            jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"
52            default: ''
53        deny:
54          conditions:
55            all:
56              - key: "{{ basename }}"
57                operator: AnyNotIn
58                value: "{{ baseimages.data.allowedbaseimages }}"