mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 18:06:55 +00:00
Code Activity
kyverno/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml
Mariam Fahmy 2140a0239b
chore: rename validationFailureAction to failureAction under the rule (#10893) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2024-08-27 20:07:57 +00:00

39 lines
981 B
YAML
Raw Blame History

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-trustable-images
spec:
admission: true
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: only-allow-trusted-images
preconditions:
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
validate:
failureAction: Enforce
foreach:
- context:
- imageRegistry:
jmesPath: '{user: configData.config.User || '''', registry: registry}'
reference: '{{ element.image }}'
name: imageData
deny:
conditions:
all:
- key: '{{ imageData.user }}'
operator: Equals
value: ""
- key: '{{ imageData.registry }}'
operator: NotEquals
value: ghcr.io
list: request.object.spec.containers
message: images with root user are not allowed
View git blame Copy permalink