All Policies

Require imagePullSecrets

Some registries, both public and private, require credentials in order to pull images from them. This policy checks those images and if they come from a registry other than ghcr.io or quay.io an `imagePullSecret` is required.

Policy Definition

/other/require-imagepullsecrets/require-imagepullsecrets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-imagepullsecrets
 5  annotations:
 6    policies.kyverno.io/title: Require imagePullSecrets
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Some registries, both public and private, require credentials in order to pull images
12      from them. This policy checks those images and if they come from a registry
13      other than ghcr.io or quay.io an `imagePullSecret` is required.
14spec:
15  validationFailureAction: Audit
16  background: true
17  rules:
18  - name: check-for-image-pull-secrets
19    match:
20      any:
21      - resources:
22          kinds:
23          - Pod
24    preconditions:
25      all:
26      - key: "{{ images.containers.*.registry }}"
27        operator: AnyNotIn
28        value:
29        - ghcr.io
30        - quay.io
31    validate:
32      message: "An `imagePullSecret` is required when pulling from this registry."
33      pattern:
34        spec:
35          imagePullSecrets:
36          - name: "?*"
Create policy issue