k8sallowedrepos

Basic Information

Policy type: compliance
Recommended level: L1
Effective resource type: Pod
Parameter
repos: String array

Function

The container image must start with a string in a specified string list.

Policy Example

The following policy instance specifies that the container image must start with openpolicyagent/.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: repo-is-openpolicyagent
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "default"
  parameters:
    repos:
      - "openpolicyagent/"

Resource Definition That Complies with the Policy

The container image starts with openpolicyagent/, which complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2

Resource Definition That Does Not Comply with the Policy

The container image starts with nginx, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
    - name: nginx
      image: nginx

Parent topic: Policy Definition Library

Previous topic: k8spspautomountserviceaccounttokenpod

Next topic: Configuration Management

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot