I am trying to figure out if it’s possible to restrict a cluster at a global level, or per namespace, to only pull allow pulling from a specific registry. I am starting to think this is something I would have to do with OPA or some other 3rd party product. At this point I don’t know if this is just something that is not part of k8s, or if my search skills suck.
Try narrowing your search to ImagePolicyWebhook:
This thread on stack overflow gives a good overview:
But other than the GitHub repo provided on that page I couldn’t find any OSS solution.
Thank you. The stackoverflow thread is really informative. The admission controller will definitely work. But I feel like I should drudge through the manual and learn OPA. I have a feeling that is where these policies will end up. Only downer is having to learn rego. Does the world need another declarative language?
Just realizing that OPA in k8s is an admission controller.