restrict cluster or namespace to only use a specific registry

I am trying to figure out if it’s possible to restrict a cluster at a global level, or per namespace, to only pull allow pulling from a specific registry. I am starting to think this is something I would have to do with OPA or some other 3rd party product. At this point I don’t know if this is just something that is not part of k8s, or if my search skills suck.

Try narrowing your search to ImagePolicyWebhook:

This thread on stack overflow gives a good overview:

But other than the GitHub repo provided on that page I couldn’t find any OSS solution.

Kind regards,

Thank you. The stackoverflow thread is really informative. The admission controller will definitely work. But I feel like I should drudge through the manual and learn OPA. I have a feeling that is where these policies will end up. Only downer is having to learn rego. Does the world need another declarative language? :upside_down_face:

Just realizing that OPA in k8s is an admission controller.