How to Restrict Container Registries per Namespace with Kyverno

We have recently received a request from a customer, asking us to restrict the container registries that could be used to deploy images from in their OpenShift 4 cluster.

We could have added such configuration directly at node level, as explained in Red Hat’s documentation; it’s indeed possible to whitelist registries on repository and tag level, but that would have forced us to keep all those whitelists updated with those our Project Syn components regularly use.

We have instead chosen to use Kyverno for this task: it allows us to enforce the limitations on a per-namespace level, with much more flexibility and maintanability.

This is a ClusterPolicy object for Kyverno, adapted from the solution we provided to our customer, showing how we can restrict the limitation to some namespaces, so that containers can be pulled only from some specific registries.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-registries
  annotations:
    policies.kyverno.io/title: Restrict Image Registries
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Restrict image pulling only to whitelisted registries
spec:
  validationFailureAction: enforce
  background: true
  rules:
  - name: validate-registries
    match:
      all:
      - resources:
          kinds:
          - Pod
          namespaces:
          - "namespace-wildcard-*"
    validate:
      message: "Image registry not whitelisted"
      pattern:
        spec:
          containers:
          - image: "registry.example.com/* | hub.docker.com/some-username/*"