# Based on https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/?policytypes=Best%2520Practices
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
  annotations:
    policies.kyverno.io/title: Restrict Image Registries
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/minversion: 1.3.0
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Images from unknown registries may not be scanned and secured. 
      Requiring use of known registries helps reduce threat exposure.      
spec:
  background: true
  validationFailureAction: audit
  rules:
  - name: validate-registries
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Unknown image registry."
      pattern:
        spec:
          containers:
          # EKS repositories for add-ons (VPC CNI, kube-proxy...) : https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html
          # The following registries are added as example, restrict the list as needed
          - image: "k8s.gcr.io/* | gcr.io/* | ghcr.io/kyverno/* | ghcr.io/fluxcd/* | quay.io/tigera/* | docker.io/calico/* | public.ecr.aws/* | 602401143452.dkr.ecr.us-west-2.amazonaws.com/* | quay.io/prometheus/* | quay.io/prometheus-operator/* | quay.io/kiwigrid/* | grafana/* | k8s.gcr.io/kube-state-metrics/* | ghcr.io/stefanprodan/* "