Skip to main content

Disallowed Repositories

Description

Disallowed container repositories that begin with a string from the specified list.

Template

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sdisallowedrepos
  annotations:
    metadata.gatekeeper.sh/title: "Disallowed Repositories"
    metadata.gatekeeper.sh/version: 1.0.0
    description: >-
      Disallowed container repositories that begin with a string from the specified list.
spec:
  crd:
    spec:
      names:
        kind: K8sDisallowedRepos
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            repos:
              description: The list of prefixes a container image is not allowed to have.
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdisallowedrepos

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          image := container.image
          startswith(image, input.parameters.repos[_])
          msg := sprintf("container <%v> has an invalid image repo <%v>, disallowed repos are %v", [container.name, container.image, input.parameters.repos])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.initContainers[_]
          image := container.image
          startswith(image, input.parameters.repos[_])
          msg := sprintf("initContainer <%v> has an invalid image repo <%v>, disallowed repos are %v", [container.name, container.image, input.parameters.repos])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.ephemeralContainers[_]
          image := container.image
          startswith(image, input.parameters.repos[_])
          msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, disallowed repos are %v", [container.name, container.image, input.parameters.repos])
        }

Usage

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowedrepos/template.yaml

Examples

repo-must-not-be-k8s-gcr-io
constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: repo-must-not-be-k8s-gcr-io
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    repos:
      - "k8s.gcr.io/"

Usage

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowedrepos/samples/repo-must-not-be-k8s-gcr-io/constraint.yaml
example-allowed
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-allowed
spec:
  containers:
    - name: kustomize
      image: registry.k8s.io/kustomize/kustomize:v3.8.9

Usage

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowedrepos/samples/repo-must-not-be-k8s-gcr-io/example_allowed.yaml
container-disallowed
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
    - name: kustomize
      image: k8s.gcr.io/kustomize/kustomize:v3.8.9


Usage

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowedrepos/samples/repo-must-not-be-k8s-gcr-io/example_disallowed_container.yaml
initcontainer-disallowed
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  initContainers:
  - name: kustomizeinit
    image: k8s.gcr.io/kustomize/kustomize:v3.8.9
  containers:
    - name: kustomize
      image: registry.k8s.io/kustomize/kustomize:v3.8.9

Usage

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowedrepos/samples/repo-must-not-be-k8s-gcr-io/example_disallowed_initcontainer.yaml
both-disallowed
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  initContainers:
  - name: kustomizeinit
    image: k8s.gcr.io/kustomize/kustomize:v3.8.9
  containers:
    - name: kustomize
      image: k8s.gcr.io/kustomize/kustomize:v3.8.9

Usage

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowedrepos/samples/repo-must-not-be-k8s-gcr-io/example_disallowed_both.yaml
all-disallowed
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  initContainers:
  - name: kustomize
    image:  k8s.gcr.io/kustomize/kustomize:v3.8.9
  containers:
    - name: kustomize
      image: k8s.gcr.io/kustomize/kustomize:v3.8.9
  ephemeralContainers:
    - name: kustomize
      image: k8s.gcr.io/kustomize/kustomize:v3.8.9

Usage

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowedrepos/samples/repo-must-not-be-k8s-gcr-io/disallowed_all.yaml