# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
  labels:
    opendesk.eu/security-id: image-sec-002
  annotations:
    policies.kyverno.io/title: Restrict Image Registries
    policies.kyverno.io/category: Best Practices, EKS Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.26"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Images from unknown, public registries can be of dubious quality and may not be
      scanned and secured, representing a high degree of risk. Requiring use of known, approved
      registries helps reduce threat exposure by ensuring image pulls only come from them. This
      policy validates that container images only originate from the registry `registry.opencode.de`.
spec:
  validationFailureAction: Audit
  background: true
  rules:
  - name: validate-registries
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "Unknown image registry."
      pattern:
        spec:
          =(ephemeralContainers):
          - image: "registry.opencode.de/*"
          =(initContainers):
          - image: "registry.opencode.de/*"
          containers:
          - image: "registry.opencode.de/*"