In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: allowed-image-reposannotations:policies.kyverno.io/title: Allowed Image Repositoriespolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.9.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list.spec:validationFailureAction: Auditbackground: falserules:- name: good-reposmatch:any:- resources:kinds:- Podvalidate:message: All images in this Pod must come from an authorized repository.deny:conditions:all:- key: "{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}"operator: AnyNotInvalue:- myknownimage- kyverno
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy prevents updates to the project field after an Application is created.