apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: trusted-registries
  annotations:
    policies.kyverno.io/category: Image
    policies.kyverno.io/description: Images from unknown registries may not be scanned and secured. 
      Requiring use of known registries helps reduce threat exposure. You can customize this policy 
      to allow image registries that you trust.
spec:
  rules:
  - name: trusted-registries
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Deny untrusted registries"
      pattern:
        spec:
          containers:
          - image: "k8s.gcr.io/* | gcr.io/*"