apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-registries
    skipBackgroundRequests: true
    validate:
      message: Images may only come from our internal enterprise registry.
      pattern:
        spec:
          containers:
          - image: registry.domain.com/*
      validationFailureAction: Enforce
status:
  autogen:
    rules:
    - match:
        any:
        - resources:
            kinds:
            - DaemonSet
            - Deployment
            - Job
            - ReplicaSet
            - ReplicationController
            - StatefulSet
      name: autogen-validate-registries
      skipBackgroundRequests: true
      validate:
        message: Images may only come from our internal enterprise registry.
        pattern:
          spec:
            template:
              spec:
                containers:
                - image: registry.domain.com/*
        validationFailureAction: Enforce
    - match:
        any:
        - resources:
            kinds:
            - CronJob
      name: autogen-cronjob-validate-registries
      skipBackgroundRequests: true
      validate:
        message: Images may only come from our internal enterprise registry.
        pattern:
          spec:
            jobTemplate:
              spec:
                template:
                  spec:
                    containers:
                    - image: registry.domain.com/*
        validationFailureAction: Enforce
  conditions:
  - message: Ready
    reason: Succeeded
    status: "True"
    type: Ready