2019-10-23 21:06:03 +00:00
|
|
|
# Disallow unknown image registries
|
|
|
|
|
|
2019-10-23 22:36:37 +00:00
|
|
|
Images from unknown registries may not be scanned and secured. Requiring the use of trusted registries helps reduce threat exposure.
|
|
|
|
|
|
|
|
|
|
You can customize this policy to allow image registries that you trust.
|
2019-10-23 21:06:03 +00:00
|
|
|
|
|
|
|
|
## Policy YAML
|
|
|
|
|
|
2019-11-12 02:21:16 +00:00
|
|
|
[restrict_image_registries.yaml](more/restrict_image_registries.yaml)
|
2019-10-23 21:06:03 +00:00
|
|
|
|
|
|
|
|
````yaml
|
2019-11-13 21:56:20 +00:00
|
|
|
apiVersion : kyverno.io/v1
|
2019-10-23 21:06:03 +00:00
|
|
|
kind: ClusterPolicy
|
|
|
|
|
metadata:
|
2019-11-11 02:13:01 +00:00
|
|
|
name: restrict-image-registries
|
2019-10-23 21:06:03 +00:00
|
|
|
spec:
|
2020-08-19 21:04:58 +00:00
|
|
|
validationFailureAction: audit
|
2019-10-23 21:06:03 +00:00
|
|
|
rules:
|
2019-11-11 02:13:01 +00:00
|
|
|
- name: validate-registries
|
2019-10-23 21:06:03 +00:00
|
|
|
match:
|
|
|
|
|
resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Pod
|
|
|
|
|
validate:
|
2019-11-06 03:07:44 +00:00
|
|
|
message: "Unknown image registry"
|
2019-10-23 21:06:03 +00:00
|
|
|
pattern:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
- image: "k8s.gcr.io/* | gcr.io/*"
|
|
|
|
|
````
|
