-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict Image Registries #1210
Comments
You should remove docker.io/* from validate.patterm.spec. As per your policy the images from eu.foo.io, bar.io and docker.io registries are restricted. |
Oh I see. I was thinking that image from eu.foo.io, bar.io, docker.io and docker.io will be allowed. How can I allow images to be pulled only from eu.foo.io, bar.io, and docker.io in this case |
Also, as soon as I removed docker.io and applied it in the cluster, it restricted me from creating the below manifest which is actually wrong because those registries are not restricted. If I delete the policy, I will be able to create the below manifest without any issue. apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-image-registries
annotations:
policies.kyverno.io/title: Restrict Image Registries
policies.kyverno.io/category: Best Practices, EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.26"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Images from unknown, public registries can be of dubious quality and may not be
scanned and secured, representing a high degree of risk. Requiring use of known, approved
registries helps reduce threat exposure by ensuring image pulls only come from them. This
policy validates that container images only originate from the registry `eu.foo.io` or
`bar.io`. Use of this policy requires customization to define your allowable registries.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: validate-registries
match:
any:
- resources:
kinds:
- Pod
- Deployment
- StatefulSet
- DaemonSet
validate:
message: "Unknown image registry."
pattern:
spec:
=(ephemeralContainers):
- image: "eu.foo.io/* | bar.io/*"
=(initContainers):
- image: "eu.foo.io/* | bar.io/*"
containers:
- image: "eu.foo.io/* | bar.io/*"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx-dockerhub
template:
metadata:
labels:
app: nginx-dockerhub
spec:
containers:
- name: nginx
image: docker.io/nginx:1.23.3 # Updated to a specific version
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bitnami
spec:
replicas: 1
selector:
matchLabels:
app: nginx-bitnami
template:
metadata:
labels:
app: nginx-bitnami
spec:
containers:
- name: bitnami
image: bitnami/nginx:1.27.3-debian-12-r0 # Updated to Bitnami NGINX image
ports:
- containerPort: 80
|
I have added a docker.io registry and, I am not able to create a pod with image coming from docker hub. Below is my deployment file and the updated policy.
Error from server: error when creating "nginx.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Deployment/app/nginx was blocked due to the following policies
restrict-image-registries:
validate-registries: 'validation error: Unknown image registry. rule validate-registries
failed at path /spec/containers/'
The text was updated successfully, but these errors were encountered: