restrict cluster or namespace to only use a specific registry

I am trying to figure out if it’s possible to restrict a cluster at a global level, or per namespace, to only pull allow pulling from a specific registry. I am starting to think this is something I would have to do with OPA or some other 3rd party product. At this point I don’t know if this is just something that is not part of k8s, or if my search skills suck.

Try narrowing your search to ImagePolicyWebhook:

This thread on stack overflow gives a good overview:

But other than the GitHub repo provided on that page I couldn’t find any OSS solution.

Kind regards,

Thank you. The stackoverflow thread is really informative. The admission controller will definitely work. But I feel like I should drudge through the manual and learn OPA. I have a feeling that is where these policies will end up. Only downer is having to learn rego. Does the world need another declarative language? :upside_down_face:

Just realizing that OPA in k8s is an admission controller.

Adding to this. I setup OPA in a few clusters and was able to limit the repos that one could pull from. But after a while of running, the two clusters became unresponsive. I couldn’t even create namespaces. I would see references to the opa gatekeeper in the errors. I ended up having to remove OPA from the cluster. I am now using IBM’s portieris for image policies. No issues so far. I think OPA flaked since it is run as a single pod at this time. I did have the failurepolicy for it set to ignore, but it really crashed and burned.