All Policies

Require imagePullSecrets

Some registries, both public and private, require credentials in order to pull images from them. This policy checks those images and if they come from a registry other than ghcr.io or quay.io an `imagePullSecret` is required.

Policy Definition

/other/require_imagepullsecrets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-imagepullsecrets
 5  annotations:
 6    policies.kyverno.io/title: Require imagePullSecrets
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.3.5
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Some registries, both public and private, require credentials in order to pull images
12      from them. This policy checks those images and if they come from a registry
13      other than ghcr.io or quay.io an `imagePullSecret` is required.      
14spec:
15  validationFailureAction: audit
16  rules:
17  - name: check-for-image-pull-secrets
18    match:
19      resources:
20        kinds:
21        - Pod
22    preconditions:
23    - key: "{{ images.containers.*.registry }}"
24      operator: NotIn
25      value:
26      - ghcr.io
27      - quay.io
28    validate:
29      message: "An `imagePullSecret` is required when pulling from this registry."
30      pattern:
31        spec:
32          imagePullSecrets:
33          - name: "?*"
34
Create policy issue