Alain Atemnkeng
--- a/templates/constraint_image_admission_controller.yaml 0 → 100644

+ 41

− 0
+++ b/templates/constraint_image_admission_controller.yaml 0 → 100644

+ 41

− 0
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8simageprovenance
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sImageProvenance
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8simageprovenance
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Pod"
+          container := input.review.object.spec.containers[_]
+          not startswith(container.image, "docker.io/")
+          not startswith(container.image, "quay.io/")
+          not startswith(container.image, "public.ecr.aws/")
+          not startswith(container.image, "gcr.io/")
+          not startswith(container.image, "ghcr.io/")
+          not startswith(container.image, "harbor.")
+          not startswith(container.image, "gitlab.")
+          msg := sprintf("Image %v is not from an allowed repository", [container.image])
+        }
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sImageProvenance
+metadata:
+  name: image-provenance-constraint
+spec:
+  enforcementAction: deny
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]