Block Large Images

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-large-images
 5  annotations:
 6    policies.kyverno.io/title: Block Large Images
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Pods which run containers of very large image size take longer to pull
15      and require more space to store. A user may either inadvertently or purposefully
16      name an image which is unusually large to disrupt operations. This policy
17      checks the size of every container image and blocks if it is over 2 Gibibytes.
18spec:
19  validationFailureAction: Audit
20  rules:
21  - name: block-over-twogi
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27    preconditions:
28      all:
29      - key: "{{request.operation || 'BACKGROUND'}}"
30        operator: NotEquals
31        value: DELETE
32    validate:
33      message: "images with size greater than 2Gi not allowed"  
34      foreach:
35      - list: "request.object.spec.containers"
36        context: 
37        - name: imageSize
38          imageRegistry: 
39            reference: "{{ element.image }}"
40            # Note that we need to use `to_string` here to allow kyverno to treat it like a resource quantity of type memory
41            # the total size of an image as calculated by docker is the total sum of its layer sizes
42            jmesPath: "to_string(sum(manifest.layers[*].size))"
43        deny:
44          conditions:
45            all:
46            - key: "2Gi"
47              operator: LessThan
48              value: "{{imageSize}}"