Allowed Image Repositories

In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list.

Policy Definition

/other/allowed-image-repos/allowed-image-repos.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: allowed-image-repos
 5  annotations:
 6    policies.kyverno.io/title: Allowed Image Repositories
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.9.0
10    kyverno.io/kubernetes-version: "1.24"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      In addition to restricting the image registry from which images are pulled, in some cases
14      and environments it may be required to also restrict which image repositories are used, 
15      for example in some restricted Namespaces. This policy ensures that the only allowed
16      image repositories present in a given Pod, across any container type, come from the
17      designated list.      
18spec:
19  validationFailureAction: audit
20  background: false
21  rules:
22    - name: good-repos
23      match:
24        any:
25        - resources:
26            kinds:
27              - Pod
28      validate:
29        message: >-
30          All images in this Pod must come from an authorized repository.          
31        deny:
32          conditions:
33            all:
34            - key: "{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}"
35              operator: AnyNotIn
36              value:
37              - myknownimage
38              - kyverno

Create policy issue