apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDeprecatedRegistry
metadata:
  name: denied-deprecated-registry
  labels:
    policy.kubernetes.amazon-eks.com/gatekeeper: constraint
spec:
  # enforcementAction: warn
  match:
    kinds:
      - apiGroups: ["*"]
        kinds: ["Pod","Deployment","DaemonSet","Job","CronJob","StatefulSet","ReplicaSet"]
    # namespaces:
    #   - "policy-test"
  parameters:
    allowedOps: ["CREATE","UPDATE"]
    deniedRegistries: ["k8s.gcr.io"]
    errMsg: "INVALID_REGISTRY"