All Policies

Replace Image Registry

Rather than blocking Pods which come from outside registries, it is also possible to mutate them so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy mutates all images either in the form 'image:tag' or 'registry.corp.com/image:tag' to be `myregistry.corp.com/`. Any path in the image name will be preserved. Note that this mutates Pods directly and not their controllers. It can be changed if desired but if so may need to not match on Pods.

Policy Definition

/other/replace-image-registry/replace-image-registry.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: replace-image-registry
 5  annotations:
 6    policies.kyverno.io/title: Replace Image Registry
 7    pod-policies.kyverno.io/autogen-controllers: none
 8    policies.kyverno.io/category: Sample
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/subject: Pod
11    kyverno.io/kyverno-version: 1.7.2
12    policies.kyverno.io/minversion: 1.6.0
13    kyverno.io/kubernetes-version: "1.23"
14    policies.kyverno.io/description: >-
15      Rather than blocking Pods which come from outside registries,
16      it is also possible to mutate them so the pulls are directed to
17      approved registries. In some cases, those registries may function as
18      pull-through proxies and can fetch the image if not cached.
19      This policy mutates all images either in the form 'image:tag' or
20      'registry.corp.com/image:tag' to be `myregistry.corp.com/`. Any
21      path in the image name will be preserved. Note that this mutates Pods
22      directly and not their controllers. It can be changed if desired but
23      if so may need to not match on Pods.            
24spec:
25  background: false
26  rules:
27    - name: replace-image-registry-pod-containers
28      match:
29        any:
30        - resources:
31            kinds:
32            - Pod
33      mutate:
34        foreach:
35        - list: "request.object.spec.containers"
36          patchStrategicMerge:
37            spec:
38              containers:
39              - name: "{{ element.name }}"
40                image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"
41    - name: replace-image-registry-pod-initcontainers
42      match:
43        any:
44        - resources:
45            kinds:
46            - Pod
47      preconditions:
48        all:
49        - key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}"
50          operator: GreaterThanOrEquals
51          value: 1
52      mutate:
53        foreach:
54        - list: "request.object.spec.initContainers"
55          patchStrategicMerge:
56            spec:
57              initContainers:
58              - name: "{{ element.name }}"
59                image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"
Create policy issue