We have recently received a request from a customer, asking us to restrict the container registries that could be used to deploy images from in their OpenShift 4 cluster.
We could have added such configuration directly at node level, as explained in Red Hat’s documentation; it’s indeed possible to whitelist registries on repository and tag level, but that would have forced us to keep all those whitelists updated with those our Project Syn components regularly use.
We have instead chosen to use Kyverno for this task: it allows us to enforce the limitations on a per-namespace level, with much more flexibility and maintanability.
This is a
ClusterPolicy object for Kyverno, adapted from the solution we provided to our customer, showing how we can restrict the limitation to some namespaces, so that containers can be pulled only from some specific registries.
apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: restrict-registries annotations: policies.kyverno.io/title: Restrict Image Registries policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Restrict image pulling only to whitelisted registries spec: validationFailureAction: enforce background: true rules: - name: validate-registries match: all: - resources: kinds: - Pod namespaces: - "namespace-wildcard-*" validate: message: "Image registry not whitelisted" pattern: spec: containers: - image: "registry.example.com/* | hub.docker.com/some-username/*"