Back to Policies

Allowed Base Images

Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: allowed-base-images
  annotations:
    policies.kyverno.io/title: Allowed Base Images
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.7.0
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.
spec:
  validationFailureAction: Audit
  rules:
    - name: allowed-base-images
      match:
        any:
          - resources:
              kinds:
                - Pod
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: NotEquals
            value: DELETE
      context:
        - name: baseimages
          configMap:
            name: baseimages
            namespace: platform
      validate:
        message: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance.
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            context:
              - name: imageData
                imageRegistry:
                  reference: "{{ element.image }}"
              - name: basename
                variable:
                  jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"
                  default: ""
            deny:
              conditions:
                all:
                  - key: "{{ basename }}"
                    operator: AnyNotIn
                    value: "{{ baseimages.data.allowedbaseimages }}"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application