Only Trustworthy Registries Set Root

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: only-trustworthy-registries-set-root
 5  annotations:
 6    policies.kyverno.io/title: Only Trustworthy Registries Set Root
 7    policies.kyverno.io/category: Other, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Some containers must be built to run as root in order to function properly, but
15      use of those images should be carefully restricted to prevent unneeded privileges.
16      This policy blocks any image that runs as root if it does not come from a trustworthy
17      registry, `ghcr.io` in this case.
18spec:
19  validationFailureAction: Audit
20  rules:
21  - name: only-allow-trusted-images
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27    preconditions:
28      all:
29      - key: "{{request.operation || 'BACKGROUND'}}"
30        operator: NotEquals
31        value: DELETE
32    validate:
33      message: "Images with root user are not allowed to be pulled from any registry other than ghcr.io."  
34      foreach:
35      - list: "request.object.spec.containers"
36        context: 
37        - name: imageData
38          imageRegistry: 
39            reference: "{{ element.image }}"
40        deny:
41          conditions:
42            all:
43              - key: "{{ imageData.configData.config.User || ''}}"
44                operator: Equals
45                value: ""
46              - key: "{{ imageData.registry }}"
47                operator: NotEquals
48                value: "ghcr.io"