mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-07 00:17:13 +00:00
ff9328809b
* add global-anchor test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add trusted-images test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add yaml-signing test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add x509-decode test Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
35 lines
951 B
YAML
35 lines
951 B
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: check-trustable-images
|
|
spec:
|
|
validationFailureAction: enforce
|
|
rules:
|
|
- name: only-allow-trusted-images
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
preconditions:
|
|
- key: "{{request.operation}}"
|
|
operator: NotEquals
|
|
value: DELETE
|
|
validate:
|
|
message: "images with root user are not allowed"
|
|
foreach:
|
|
- list: "request.object.spec.containers"
|
|
context:
|
|
- name: imageData
|
|
imageRegistry:
|
|
reference: "{{ element.image }}"
|
|
jmesPath: "{user: configData.config.User || '', registry: registry}"
|
|
deny:
|
|
conditions:
|
|
all:
|
|
- key: "{{ imageData.user }}"
|
|
operator: Equals
|
|
value: ""
|
|
- key: "{{ imageData.registry }}"
|
|
operator: NotEquals
|
|
value: "ghcr.io"
|