I'm on the IT Security team at my company and I need to allow developers to pull specific images from ghcr.io, but I want to restrict them from accessing any image outside of an approved list. For example, I want to permit pulling images like "docker pull ghcr.io/tektoncd/pipeline/entrypoint-bff0a22da108bc2f16c818c97641a296:v1.0.0" while blocking attempts to pull other images like "docker pull ghcr.io/fluxcd/source-controller:sha256-9d15c1dec4849a7faff64952dcc2592ef39491c911dc91eeb297efdbd78691e3.sig". I'm open to using either free or paid tools to implement this. Any suggestions on how to effectively set this up?
2 Answers
One option is to use a private Docker registry and set up mirror rules for ghcr.io. This way, you can manage which images are allowed to be pulled without exposing the entire registry.
Check out the ValidatingAdmissionWebhook in Kubernetes. A tool like Kyverno can enforce policies like only allowing images from your specified registries. Here’s a simple policy you could use:
```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-image-registries
spec:
validationFailureAction: enforce
background: true
rules:
- name: validate-image-registry
match:
resources:
kinds:
- Pod
validate:
message: "Only container images from ghcr.io are allowed."
pattern:
spec:
containers:
- image: "ghcr.io/*"
initContainers:
- image: "ghcr.io/*"
```
You can find more examples in the Kyverno docs!
Wow yeah this is good, thanks.