Container images can be built from a variety of sources, including other preexisting images. Ensuring images that are allowed to run are built from known, trusted images where their provenance is guaranteed can be an important step in ensuring overall cluster security. This policy ensures that any container image specifies some base image in its metadata from four possible sources: Docker BuildKit, OCI annotations (in manifest or config), or Buildpacks. Note that the ability to detect the presence of a base image is not implicit and requires the author to specify it using metadata or build directives of some sort (ex., Dockerfile FROM statements do not automatically expose this information).
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-base-imageannotations:policies.kyverno.io/title: Check Image Basepolicies.kyverno.io/category: Other, EKS Best Practicespolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.7.0policies.kyverno.io/minversion: 1.7.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: "Container images can be built from a variety of sources, including other preexisting images. Ensuring images that are allowed to run are built from known, trusted images where their provenance is guaranteed can be an important step in ensuring overall cluster security. This policy ensures that any container image specifies some base image in its metadata from four possible sources: Docker BuildKit, OCI annotations (in manifest or config), or Buildpacks. Note that the ability to detect the presence of a base image is not implicit and requires the author to specify it using metadata or build directives of some sort (ex., Dockerfile FROM statements do not automatically expose this information)."spec:validationFailureAction: Auditrules:- name: require-base-imagematch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: NotEqualsvalue: DELETEvalidate:message: Images must specify a source/base image from which they are built.foreach:- list: request.object.spec.containerscontext:- name: imageDataimageRegistry:reference: "{{ element.image }}"- name: mobysourcevariable:jmesPath: imageData.configData."moby.buildkit.buildinfo.v1" | base64_decode(@).parse_json(@) | sources[?type == 'docker-image'].ref | length(@)default: 0- name: ocisourcelabelsvariable:jmesPath: imageData.configData.config.Labels | keys(@)default: []- name: ocisourceannotationsvariable:jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"default: ""- name: buildpacksvariable:jmesPath: parse_json(imageData.configData.config.Labels."io.buildpacks.lifecycle.metadata").runImage.reference || parse_json(imageData.configData.config.Labels."io.buildpacks.lifecycle.metadata").stack.runImage.imagedefault: ""deny:conditions:all:- key: org.opencontainers.image.base.nameoperator: AnyNotInvalue: "{{ ocisourcelabels}}"- key: "{{ ocisourceannotations}}"operator: Equalsvalue: ""- key: "{{ mobysource }}"operator: Equalsvalue: 0- key: "{{ buildpacks }}"operator: Equalsvalue: ""
This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.