kyverno/samples/RestrictImageRegistries.md

# Disallow unknown image registries

Images from unknown registries may not be scanned and secured. Requiring the use of trusted registries helps reduce threat exposure and is considered a common Kubernetes best practice.

This sample policy requires that all images come from either `k8s.gcr.io` or `gcr.io`. You can customize this policy to allow other or different image registries that you trust. Alternatively, you can invert the check to allow images from all other registries except one (or a list) by changing the `image` field to `image: "!k8s.gcr.io"`.

## Policy YAML

[restrict_image_registries.yaml](more/restrict_image_registries.yaml)

````yaml
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
spec:
  validationFailureAction: audit
  rules:
  - name: validate-registries
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Unknown image registry."
      pattern:
        spec:
          containers:
          # Allows images from either k8s.gcr.io or gcr.io.
          - image: "k8s.gcr.io/* | gcr.io/*"
````
reorganize samples 2019-10-23 14:06:03 -07:00			`# Disallow unknown image registries`

new samples; updates (#1259) * new samples; updates * typos * add policy to restrict LoadBalancer * correct sample numbering * fix typos 2020-11-16 16:39:59 -05:00			`Images from unknown registries may not be scanned and secured. Requiring the use of trusted registries helps reduce threat exposure and is considered a common Kubernetes best practice.`
update descriptions... 2019-10-23 15:36:37 -07:00
new samples; updates (#1259) * new samples; updates * typos * add policy to restrict LoadBalancer * correct sample numbering * fix typos 2020-11-16 16:39:59 -05:00			This sample policy requires that all images come from either `k8s.gcr.io` or `gcr.io`. You can customize this policy to allow other or different image registries that you trust. Alternatively, you can invert the check to allow images from all other registries except one (or a list) by changing the `image` field to `image: "!k8s.gcr.io"`.
reorganize samples 2019-10-23 14:06:03 -07:00
manifest fixes; typos; linting (#1240) 2020-11-11 15:55:02 -05:00			`## Policy YAML`
reorganize samples 2019-10-23 14:06:03 -07:00
manifest fixes; typos; linting (#1240) 2020-11-11 15:55:02 -05:00			`[restrict_image_registries.yaml](more/restrict_image_registries.yaml)`
reorganize samples 2019-10-23 14:06:03 -07:00
			````yaml
update api in samples/ 2019-11-13 13:56:20 -08:00			`apiVersion : kyverno.io/v1`
reorganize samples 2019-10-23 14:06:03 -07:00			`kind: ClusterPolicy`
			`metadata:`
update restrict_image_registries 2019-11-10 18:13:01 -08:00			`name: restrict-image-registries`
reorganize samples 2019-10-23 14:06:03 -07:00			`spec:`
add validateFailureAction to all policies (#1068) 2020-08-19 14:04:58 -07:00			`validationFailureAction: audit`
reorganize samples 2019-10-23 14:06:03 -07:00			`rules:`
update restrict_image_registries 2019-11-10 18:13:01 -08:00			`- name: validate-registries`
reorganize samples 2019-10-23 14:06:03 -07:00			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
new samples; updates (#1259) * new samples; updates * typos * add policy to restrict LoadBalancer * correct sample numbering * fix typos 2020-11-16 16:39:59 -05:00			`message: "Unknown image registry."`
reorganize samples 2019-10-23 14:06:03 -07:00			`pattern:`
			`spec:`
			`containers:`
new samples; updates (#1259) * new samples; updates * typos * add policy to restrict LoadBalancer * correct sample numbering * fix typos 2020-11-16 16:39:59 -05:00			`# Allows images from either k8s.gcr.io or gcr.io.`
reorganize samples 2019-10-23 14:06:03 -07:00			`- image: "k8s.gcr.io/* \| gcr.io/*"`
			````