https://github.com/kubewarden/trusted-repos-policy

A Kubewarden policy that restricts what registries, tags and images can pods on your cluster refer to
https://github.com/kubewarden/trusted-repos-policy

hacktoberfest kubernetes kubernetes-compliance kubernetes-security kubewarden-policy policy-as-code webassembly

Last synced: 6 months ago
JSON representation

A Kubewarden policy that restricts what registries, tags and images can pods on your cluster refer to

• Host: GitHub
• URL: https://github.com/kubewarden/trusted-repos-policy
• Owner: kubewarden
• License: apache-2.0
• Created: 2021-03-11T15:09:13.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2024-12-09T10:37:31.000Z (6 months ago)
• Last Synced: 2024-12-09T11:36:22.530Z (6 months ago)
• Topics: hacktoberfest, kubernetes, kubernetes-compliance, kubernetes-security, kubewarden-policy, policy-as-code, webassembly
• Language: Rust
• Homepage: https://kubewarden.io
• Size: 256 KB
• Stars: 6
• Watchers: 7
• Forks: 3
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        
[![Kubewarden Policy Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)

[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)

Kubewarden policy that allows to restrict what repositories, tags and

images pods in your cluster can refer to.

# What the policy allows to restrict

The policy configuration allows to mix and match several filters:

`registries`, `tags`, and `images`.

When both an allow list and a reject list is supported, only one can

be provided at the same time for that specific filter.

* Registries

  * Allow list

  * Reject list

* Tags

  * Reject list

* Images

  * Allow list

  * Reject list

## Examples

* Only allow images coming from `registry.my-corp.com`:

```yaml

registries:

  allow:

  - registry.my-corp.com

```

* Only reject one host, in this case the Docker Hub:

```yaml

registries:

  reject:

  - docker.io

```

* Reject the latest tag for all images:

```yaml

tags:

  reject:

  - latest

```

* Only reject one specific image, allow the rest:

```yaml

images:

  reject:

  - quay.io/etcd/etcd:v3.4.12

```

* Only accept a well known set of images, reject the rest:

```yaml

images:

  allow:

  - quay.io/coreos/etcd:v3.4.12@sha256:7ed2739c96eb16de3d7169e2a0aa4ccf3a1f44af24f2bb6cad826935a51bcb3d

  - quay.io/bitnami/redis:6.0@sha256:82dfd9ac433eacb5f89e5bf2601659bbc78893c1a9e3e830c5ef4eb489fde079

```