All Policies
Replace Image Registry
Rather than blocking Pods which come from outside registries, it is also possible to mutate them so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy policy mutates all images either in the form 'image:tag' or 'registry.corp.com/image:tag' to be prefaced with `myregistry.corp.com/`.
Policy Definition
/other/replace_image_registry.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: replace-image-registry
5 annotations:
6 policies.kyverno.io/title: Replace Image Registry
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.3.6
11 policies.kyverno.io/description: >-
12 Rather than blocking Pods which come from outside registries,
13 it is also possible to mutate them so the pulls are directed to
14 approved registries. In some cases, those registries may function as
15 pull-through proxies and can fetch the image if not cached.
16 This policy policy mutates all images either
17 in the form 'image:tag' or 'registry.corp.com/image:tag' to be prefaced
18 with `myregistry.corp.com/`.
19spec:
20 background: false
21 rules:
22 - name: replace-image-registry
23 match:
24 resources:
25 kinds:
26 - Pod
27 mutate:
28 patchStrategicMerge:
29 spec:
30 containers:
31 - (name): "*"
32 image: |-
33 {{ regex_replace_all('^[^/]+', '{{@}}', 'myregistry.corp.com') }}