apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: deprecated-registry annotations: policies.kyverno.io/title: Restrict Image Registries policies.kyverno.io/category: Best Practices, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/minversion: 1.9.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Legacy k8s.gcr.io container image registry will be frozen in early April 2023 k8s.gcr.io image registry will be frozen from the 3rd of April 2023. Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry. Please read our announcement for more details. https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ spec: validationFailureAction: Enforce # validationFailureAction: Audit background: true rules: - name: deprecated-registry match: any: - resources: kinds: - Pod validate: message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used." foreach: - list: "request.object.spec.[initContainers, ephemeralContainers, containers][]" deny: conditions: all: - key: "{{ element.image }}" operator: Equals value: "k8s.gcr.io/*"