kyverno/samples/best_practices/trusted_image_registries.yaml

apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: trusted-registries
  annotations:
    policies.kyverno.io/category: Image
    policies.kyverno.io/description: Images from unknown registries may not be scanned and secured. 
      Requiring use of known registries helps reduce threat exposure. You can customize this policy 
      to allow image registries that you trust.
spec:
  rules:
  - name: trusted-registries
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Deny untrusted registries"
      pattern:
        spec:
          containers:
          - image: "k8s.gcr.io/* | gcr.io/*"
allow trusted registries 2019-10-10 10:29:10 -07:00			`apiVersion : kyverno.io/v1alpha1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: trusted-registries`
Provide descriptions for policies 2019-10-11 18:57:16 -07:00			`annotations:`
			`policies.kyverno.io/category: Image`
update description format 2019-10-14 16:33:19 -07:00			`policies.kyverno.io/description: Images from unknown registries may not be scanned and secured.`
			`Requiring use of known registries helps reduce threat exposure. You can customize this policy`
			`to allow image registries that you trust.`
allow trusted registries 2019-10-10 10:29:10 -07:00			`spec:`
			`rules:`
			`- name: trusted-registries`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Deny untrusted registries"`
			`pattern:`
			`spec:`
			`containers:`
			`- image: "k8s.gcr.io/* \| gcr.io/*"`