-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Added disallowed-registries * Added link to documentation
- Loading branch information
1 parent
de9e695
commit 302a732
Showing
5 changed files
with
79 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
open-policy-agent/trusted-image-sources/disallowed-registries/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Disallow Registries | ||
|
||
The policy makes sure a list of "Allowed Registries" is associated with the [cluster Image resource](https://docs.openshift.com/container-platform/4.9/openshift_images/image-configuration.html). If a registry is not mentioned in the Image resource, images from this registry will not be pulled for pod creation. | ||
|
||
Managing a list of allowed registries provides control over what code runs on the OpenShift cluster. Anomalous registry instances can contain dangerous unscanned images in them, such images must be avoided. | ||
|
||
A list of allowed registries is created in the [constraint.yaml](constraint.yaml) file. If an Image resource has not allowed registries associated with it, an alert is initiated by the constraint. An alert is initiated if there are no registries configured in the Image resource as well. | ||
|
||
`This policy has been tested on openshift cluster & oc client version 4.9.0` |
13 changes: 13 additions & 0 deletions
13
open-policy-agent/trusted-image-sources/disallowed-registries/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sDisallowedRegistries | ||
metadata: | ||
name: disallow-registries | ||
spec: | ||
enforcementAction: dryrun | ||
match: | ||
kinds: | ||
- apiGroups: ["config.openshift.io"] | ||
kinds: ["Image"] | ||
parameters: | ||
allowedRegistries: | ||
- "quay.io" |
54 changes: 54 additions & 0 deletions
54
open-policy-agent/trusted-image-sources/disallowed-registries/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
apiVersion: templates.gatekeeper.sh/v1beta1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8sdisallowedregistries | ||
annotations: | ||
description: Requires setting up allowed image sources (registries). Any other image source is disallowed. | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sDisallowedRegistries | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
package K8sDisallowedRegisitries | ||
missing(obj, field) = true { | ||
not obj[field] | ||
} | ||
missing(obj, field) = true { | ||
obj[field] == "" | ||
} | ||
violation[{"msg": msg}] { | ||
input.review.object.kind == "Image" | ||
input.review.object.apiVersion == "config.openshift.io/v1" | ||
missing(input.review.object.spec, "registrySources") | ||
msg := sprintf("%v object must have spec.registrySources.allowedRegistries configured", [input.review.object.kind]) | ||
} | ||
violation[{"msg": msg}] { | ||
input.review.object.kind == "Image" | ||
input.review.object.apiVersion == "config.openshift.io/v1" | ||
missing(input.review.object.spec.registrySources, "allowedRegistries") | ||
msg := sprintf("%v object must have spec.registrySources.allowedRegistries configured", [input.review.object.kind]) | ||
} | ||
violation[{"msg": msg}] { | ||
input.review.object.kind == "Image" | ||
input.review.object.apiVersion == "config.openshift.io/v1" | ||
count(input.review.object.spec.registrySources.allowedRegistries) == 0 | ||
msg := sprintf("%v object must have at least one registry configured at spec.registrySources.allowedRegistries", [input.review.object.kind]) | ||
} | ||
violation[{"msg": msg}] { | ||
input.review.object.kind == "Image" | ||
input.review.object.apiVersion == "config.openshift.io/v1" | ||
allowedRegistries := { registry | registry := input.review.object.parameters.allowedRegistries[_]} | ||
presentRegistries := { registry | registry := input.review.object.spec.registrySources.allowedRegistries[_]} | ||
forbiddenRegistries := presentRegistries - allowedRegistries | ||
count(forbiddenRegistries) > 0 | ||
msg := sprintf("%v registry definitions are not allowed in the %v resource at spec.registrySources.allowedRegistries", [forbiddenRegistries, input.review.object.kind]) | ||
} |