Hi everyone! I'm part of an IT Security team and I'm looking to give our developers the ability to pull certain images from ghcr.io without granting them access to all images available there. Ideally, I want to set up a whitelist rule, like "ghcr.io/tektoncd/pipeline/*", which would allow them to run commands like "docker pull ghcr.io/tektoncd/pipeline/entrypoint-bff0a22da108bc2f16c818c97641a296:v1.0.0". However, if they attempt to pull something that's not on the whitelist, such as images from "ghcr.io/fluxcd/source-controller:sha256-9d15c1dec4849a7faff64952dcc2592ef39491c911dc91eeb297efdbd78691e3.sig", the command should fail. I'm open to any tools—whether free or paid—that could help with this setup. Any suggestions?
5 Answers
For a more robust solution, consider combining Kyverno or Gatekeeper with a private registry like Harbor. This will give you the flexibility you need.
If you want a native solution within Kubernetes, the admission policy feature might be what you need. There's no necessity for third-party tools if you follow this route.
I’d suggest checking out the ValidatingAdmissionWebhook feature in Kubernetes. You can use a tool like Kyverno to enforce your image policies. For example, you could set a policy that only allows images from ghcr.io, ensuring that anything else gets blocked. Here's a quick sample policy to illustrate:
One way to manage this is by using a private registry with mirror rules set up for ghcr.io. This way, you can control which images are pulled based on your whitelist.
We actually self-host Harbor and use its webhook to rewrite image registries to point to Harbor. Plus, we leverage Kyverno to manage the image pull secrets effectively.
Wow, this looks super helpful! Thanks for sharing.