Rather than blocking Pods which come from outside registries, it is also possible to mutate them so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy mutates all images either in the form 'image:tag' or 'registry.corp.com/image:tag' to be `myregistry.corp.com/`. Any path in the image name will be preserved. Note that this mutates Pods directly and not their controllers. It can be changed if desired but if so may need to not match on Pods.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: replace-image-registryannotations:policies.kyverno.io/title: Replace Image Registrypod-policies.kyverno.io/autogen-controllers: nonepolicies.kyverno.io/category: Samplepolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.7.2policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: "Rather than blocking Pods which come from outside registries, it is also possible to mutate them so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy mutates all images either in the form 'image:tag' or 'registry.corp.com/image:tag' to be `myregistry.corp.com/`. Any path in the image name will be preserved. Note that this mutates Pods directly and not their controllers. It can be changed if desired but if so may need to not match on Pods. "spec:background: falserules:- name: replace-image-registry-pod-containersmatch:any:- resources:kinds:- Podmutate:foreach:- list: request.object.spec.containerspatchStrategicMerge:spec:containers:- name: "{{ element.name }}"image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"- name: replace-image-registry-pod-initcontainersmatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}"operator: GreaterThanOrEqualsvalue: 1mutate:foreach:- list: request.object.spec.initContainerspatchStrategicMerge:spec:initContainers:- name: "{{ element.name }}"image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.