I am trying to figure out if it’s possible to restrict a cluster at a global level, or per namespace, to only pull allow pulling from a specific registry. I am starting to think this is something I would have to do with OPA or some other 3rd party product. At this point I don’t know if this is just something that is not part of k8s, or if my search skills suck.
Try narrowing your search to ImagePolicyWebhook:
This thread on stack overflow gives a good overview:
But other than the GitHub repo provided on that page I couldn’t find any OSS solution.
Kind regards,
Stephen
Thank you. The stackoverflow thread is really informative. The admission controller will definitely work. But I feel like I should drudge through the manual and learn OPA. I have a feeling that is where these policies will end up. Only downer is having to learn rego. Does the world need another declarative language?
Just realizing that OPA in k8s is an admission controller.
Adding to this. I setup OPA in a few clusters and was able to limit the repos that one could pull from. But after a while of running, the two clusters became unresponsive. I couldn’t even create namespaces. I would see references to the opa gatekeeper in the errors. I ended up having to remove OPA from the cluster. I am now using IBM’s portieris for image policies. No issues so far. I think OPA flaked since it is run as a single pod at this time. I did have the failurepolicy for it set to ignore, but it really crashed and burned.