All Policies

Require imagePullSecrets

Some registries, both public and private, require credentials in order to pull images from them. This policy checks those images and if they come from a registry other than ghcr.io or quay.io an `imagePullSecret` is required.

Policy Definition

/other/require_imagepullsecrets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-imagepullsecrets
 5  annotations:
 6    policies.kyverno.io/title: Require imagePullSecrets
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.3.5
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Some registries, both public and private, require credentials in order to pull images
12      from them. This policy checks those images and if they come from a registry
13      other than ghcr.io or quay.io an `imagePullSecret` is required.      
14spec:
15  validationFailureAction: audit
16  background: true
17  rules:
18  - name: check-for-image-pull-secrets
19    match:
20      resources:
21        kinds:
22        - Pod
23    preconditions:
24      all:
25      - key: "{{ images.containers.*.registry }}"
26        operator: NotIn
27        value:
28        - ghcr.io
29        - quay.io
30    validate:
31      message: "An `imagePullSecret` is required when pulling from this registry."
32      pattern:
33        spec:
34          imagePullSecrets:
35          - name: "?*"
36
Create policy issue