Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict Image Registries #1210

Open
devopstia opened this issue Dec 23, 2024 · 3 comments
Open

Restrict Image Registries #1210

devopstia opened this issue Dec 23, 2024 · 3 comments

Comments

@devopstia
Copy link

devopstia commented Dec 23, 2024

I have added a docker.io registry and, I am not able to create a pod with image coming from docker hub. Below is my deployment file and the updated policy.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
  annotations:
    policies.kyverno.io/title: Restrict Image Registries
    policies.kyverno.io/category: Best Practices, EKS Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.26"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Images from unknown, public registries can be of dubious quality and may not be
      scanned and secured, representing a high degree of risk. Requiring use of known, approved
      registries helps reduce threat exposure by ensuring image pulls only come from them. This
      policy validates that container images only originate from the registry `eu.foo.io` or
      `bar.io`. Use of this policy requires customization to define your allowable registries.      
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: validate-registries
    match:
      any:
      - resources:
          kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
    validate:
      message: "Unknown image registry."
      pattern:
        spec:
          =(ephemeralContainers):
          - image: "eu.foo.io/* | bar.io/* | docker.io/*"
          =(initContainers):
          - image: "eu.foo.io/* | bar.io/* | docker.io/*"
          containers:
          - image: "eu.foo.io/* | bar.io/* | docker.io/*"

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 6
  selector:
    matchLabels:
      app: nginx-dockerhub
  template:
    metadata:
      labels:
        app: nginx-dockerhub
    spec:
      containers:
      - name: nginx
        image: docker.io/nginx:1.23.3  # Updated to a specific version
        ports:
        - containerPort: 80
      ```

I am getting this error

Error from server: error when creating "nginx.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:

resource Deployment/app/nginx was blocked due to the following policies

restrict-image-registries:
validate-registries: 'validation error: Unknown image registry. rule validate-registries
failed at path /spec/containers/'

      
@epasham
Copy link
Contributor

epasham commented Dec 24, 2024

You should remove docker.io/* from validate.patterm.spec. As per your policy the images from eu.foo.io, bar.io and docker.io registries are restricted.

@devopstia
Copy link
Author

devopstia commented Dec 24, 2024

Oh I see. I was thinking that image from eu.foo.io, bar.io, docker.io and docker.io will be allowed. How can I allow images to be pulled only from eu.foo.io, bar.io, and docker.io in this case

@devopstia
Copy link
Author

devopstia commented Dec 24, 2024

Also, as soon as I removed docker.io and applied it in the cluster, it restricted me from creating the below manifest which is actually wrong because those registries are not restricted. If I delete the policy, I will be able to create the below manifest without any issue.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
  annotations:
    policies.kyverno.io/title: Restrict Image Registries
    policies.kyverno.io/category: Best Practices, EKS Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.26"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Images from unknown, public registries can be of dubious quality and may not be
      scanned and secured, representing a high degree of risk. Requiring use of known, approved
      registries helps reduce threat exposure by ensuring image pulls only come from them. This
      policy validates that container images only originate from the registry `eu.foo.io` or
      `bar.io`. Use of this policy requires customization to define your allowable registries.      
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: validate-registries
    match:
      any:
      - resources:
          kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
    validate:
      message: "Unknown image registry."
      pattern:
        spec:
          =(ephemeralContainers):
          - image: "eu.foo.io/* | bar.io/*"
          =(initContainers):
          - image: "eu.foo.io/* | bar.io/*"
          containers:
          - image: "eu.foo.io/* | bar.io/*"
          
          
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-dockerhub
  template:
    metadata:
      labels:
        app: nginx-dockerhub
    spec:
      containers:
      - name: nginx
        image: docker.io/nginx:1.23.3  # Updated to a specific version
        ports:
        - containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: bitnami
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-bitnami
  template:
    metadata:
      labels:
        app: nginx-bitnami
    spec:
      containers:
      - name: bitnami
        image: bitnami/nginx:1.27.3-debian-12-r0  # Updated to Bitnami NGINX image
        ports:
        - containerPort: 80
k apply -f nginx.yaml -n app
Error from server: error when creating "nginx.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Deployment/app/nginx was blocked due to the following policies 

restrict-image-registries:
  validate-registries: 'validation error: Unknown image registry. rule validate-registries
    failed at path /spec/containers/'

Error from server: error when creating "nginx.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Deployment/app/bitnami was blocked due to the following policies 

restrict-image-registries:
  validate-registries: 'validation error: Unknown image registry. rule validate-registries
    failed at path /spec/containers/'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants