How to use OPA Gatekeeper to only allow images from a private registry.

By default, Kubernetes will pull from Docker Hub unless the deployment requests a fully qualified path. For example, if you deploy a pod with the image rancherlabs/swiss-army-knife, Kubernetes will default index.docker.io/rancherlabs/swiss-army-knife. This is works for environments that can pull images from the internet. But in environments that don’t have internet access or if your security team requires all images to be scanned before being deployed. To solve this issue, you’ll need to instruct your application teams to update to use a private registry IE private.example.com/rancherlabs/swiss-army-knife., But there is always a chance that an application team forgets to change their image path in their code. Now you have pods stuck in imagepullbackoff. To prevent this kind of issue, we will set up OPA Gatekeeper to block all deployment requests that are missing our private registry IE private.example.com.

Pre-requisites

Installation

Creating policy

NOTE: We’ll want to change private.example.com to match the name of your private registry. Also, you can have more than one registry in the list.

Test the policy

To test that our new policy is working correctly, we’re going to try deploying two files. allowed.yaml should work with disallowed.yaml being blocked.

NOTE: We’ll want to change private.example.com to match the name of your private registry.

comments powered by Disqus