In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: allowed-image-reposannotations:policies.kyverno.io/title: Allowed Image Repositoriespolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.9.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list.spec:validationFailureAction: Auditbackground: falserules:- name: good-reposmatch:any:- resources:kinds:- Podvalidate:message: All images in this Pod must come from an authorized repository.deny:conditions:all:- key: "{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}"operator: AnyNotInvalue:- myknownimage- kyverno
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.