All Policies

Require imagePullSecrets

Some registries, both public and private, require credentials in order to pull images from them. This policy checks those images and if they come from a registry other than ghcr.io or quay.io an `imagePullSecret` is required.

Policy Definition

/other/require_imagepullsecrets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-imagepullsecrets
 5  annotations:
 6    policies.kyverno.io/title: Require imagePullSecrets
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.3.5
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Some registries, both public and private, require credentials in order to pull images
12      from them. This policy checks those images and if they come from a registry
13      other than ghcr.io or quay.io an `imagePullSecret` is required.      
14spec:
15  validationFailureAction: audit
16  background: true
17  rules:
18  - name: check-for-image-pull-secrets
19    match:
20      resources:
21        kinds:
22        - Pod
23    preconditions:
24    - key: "{{ images.containers.*.registry }}"
25      operator: NotIn
26      value:
27      - ghcr.io
28      - quay.io
29    validate:
30      message: "An `imagePullSecret` is required when pulling from this registry."
31      pattern:
32        spec:
33          imagePullSecrets:
34          - name: "?*"
35
Create policy issue