---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: images
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: only-allow-trusted-images
    preconditions:
      all:
      - key: '{{request.operation}}'
        operator: NotEquals
        value: DELETE
    validate:
      failureAction: Enforce
      foreach:
      - context:
        - imageRegistry:
            reference: '{{ element.image }}'
          name: imageData
        deny:
          conditions:
            all:
            - key: '{{ imageData.configData.config.User || ''''}}'
              operator: Equals
              value: ""
            - key: '{{ imageData.registry }}'
              operator: NotEquals
              value: ghcr.io
        list: request.object.spec.containers
      message: images with root user are not allowed
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image-base
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: check-image-base-rule
    preconditions:
      all:
      - key: '{{request.operation}}'
        operator: NotEquals
        value: DELETE
    validate:
      failureAction: Enforce
      foreach:
      - context:
        - imageRegistry:
            reference: '{{ element.image }}'
          name: imageData
        - name: mobysource
          variable:
            default: 0
            jmesPath: imageData.configData."moby.buildkit.buildinfo.v1" | base64_decode(@).parse_json(@)
              | sources[].ref | length(@)
        deny:
          conditions:
            all:
            - key: '{{ mobysource }}'
              operator: Equals
              value: 0
        list: request.object.spec.containers
      message: Images must specify a source/base image from which they are built to
        be valid.
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-manifest-list
spec:
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: check-manifest-list-rule
    preconditions:
      all:
      - key: '{{request.operation}}'
        operator: NotEquals
        value: DELETE
    validate:
      foreach:
      - context:
        - imageRegistry:
            reference: '{{ element.image }}'
          name: imageData
        - name: manifests
          variable:
            default: 0
            jmesPath: 'imageData.manifestList.manifests | length(@)'
        deny:
          conditions:
            all:
            - key: '{{ manifests }}'
              operator: Equals
              value: 0
        list: request.object.spec.containers
      message: Images must specify a manifest list to be valid.
  validationFailureAction: Enforce