All Policies

Restrict Deprecated Registry

Legacy k8s.gcr.io container image registry will be frozen in early April 2023 k8s.gcr.io image registry will be frozen from the 3rd of April 2023. Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry. Please read our announcement for more details. https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/

Policy Definition

/other/restrict-deprecated-registry/restrict-deprecated-registry.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-deprecated-registry
 5  annotations:
 6    policies.kyverno.io/title: Restrict Deprecated Registry
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices
 8    policies.kyverno.io/severity: high
 9    policies.kyverno.io/minversion: 1.9.0
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Legacy k8s.gcr.io container image registry will be frozen in early April 2023
13      k8s.gcr.io image registry will be frozen from the 3rd of April 2023.  
14      Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry.
15      Please read our announcement for more details.
16      https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/     
17spec:
18  validationFailureAction: Enforce
19  # validationFailureAction: Audit
20  background: true
21  rules:
22  - name: restrict-deprecated-registry
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    validate:
29        message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used."
30        foreach:
31          - list: "request.object.spec.[initContainers, ephemeralContainers, containers][]"
32            deny:
33              conditions:
34                all:
35                  - key: "{{ element.image }}"
36                    operator: Equals
37                    value: "k8s.gcr.io/*"
Create policy issue