All Policies

Replace Image Registry

Rather than blocking Pods which come from outside registries, it is also possible to mutate them so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy policy mutates all images either in the form 'image:tag' or 'registry.corp.com/image:tag' to be prefaced with `myregistry.corp.com/`.

Policy Definition

/other/replace_image_registry.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: replace-image-registry
 5  annotations:
 6    policies.kyverno.io/title: Replace Image Registry
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.3.6
11    policies.kyverno.io/description: >-
12      Rather than blocking Pods which come from outside registries,
13      it is also possible to mutate them so the pulls are directed to
14      approved registries. In some cases, those registries may function as
15      pull-through proxies and can fetch the image if not cached.
16      This policy policy mutates all images either
17      in the form 'image:tag' or 'registry.corp.com/image:tag' to be prefaced
18      with `myregistry.corp.com/`.      
19spec:
20  background: false
21  rules:
22    - name: replace-image-registry
23      match:
24        resources:
25          kinds:
26          - Pod
27      mutate:
28        patchStrategicMerge:
29          spec:
30            containers:
31            - (name): "*"
32              image: |-
33                                {{ regex_replace_all('^[^/]+', '{{@}}', 'myregistry.corp.com') }}