All Policies

Allowed Image Repositories

In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list.

Policy Definition

/other/allowed-image-repos/allowed-image-repos.yaml

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: allowed-image-repos 5 annotations: 6 policies.kyverno.io/title: Allowed Image Repositories 7 policies.kyverno.io/category: Other 8 policies.kyverno.io/severity: medium 9 kyverno.io/kyverno-version: 1.9.0 10 kyverno.io/kubernetes-version: "1.24" 11 policies.kyverno.io/subject: Pod 12 policies.kyverno.io/description: >- 13 In addition to restricting the image registry from which images are pulled, in some cases 14 and environments it may be required to also restrict which image repositories are used, 15 for example in some restricted Namespaces. This policy ensures that the only allowed 16 image repositories present in a given Pod, across any container type, come from the 17 designated list. 18spec: 19 validationFailureAction: Audit 20 background: false 21 rules: 22 - name: good-repos 23 match: 24 any: 25 - resources: 26 kinds: 27 - Pod 28 validate: 29 message: >- 30 All images in this Pod must come from an authorized repository. 31 deny: 32 conditions: 33 all: 34 - key: "{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}" 35 operator: AnyNotIn 36 value: 37 - myknownimage 38 - kyverno
yaml