Skip to content
Snippets Groups Projects
Verified Commit d405de20 authored by Alain Atemnkeng's avatar Alain Atemnkeng :first_place:
Browse files

[PLATFORM-2185] Configure Image Provenance admission control with Gatekeeper

parent 2ce9bfe6
1 merge request!72[PLATFORM-2185] Configure Image Provenance admission control with Gatekeeper
Pipeline #839532 passed with stages
in 15 seconds
apiVersion: v2
name: constraint-templates
version: 1.5.4
version: 1.5.5
appVersion: 1.0.0
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8simageprovenance
spec:
crd:
spec:
names:
kind: K8sImageProvenance
validation:
openAPIV3Schema:
type: object
properties:
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8simageprovenance
violation[{"msg": msg}] {
input.review.object.kind == "Pod"
container := input.review.object.spec.containers[_]
not startswith(container.image, "docker.io/")
not startswith(container.image, "quay.io/")
not startswith(container.image, "public.ecr.aws/")
not startswith(container.image, "gcr.io/")
not startswith(container.image, "ghcr.io/")
not startswith(container.image, "harbor.")
not startswith(container.image, "gitlab.")
msg := sprintf("Image %v is not from an allowed repository", [container.image])
}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageProvenance
metadata:
name: image-provenance-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment