built-in-references/Kubernetes/container-allowed-images/template.yaml (32 lines of code) (raw):
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sazurecontainerallowedimages
spec:
crd:
spec:
names:
kind: K8sAzureContainerAllowedImages
listKind: K8sAzureContainerAllowedImagesList
plural: k8sazurecontainerallowedimages
singular: k8sazurecontainerallowedimages
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
imageRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sazurecontainerallowedimages
violation[{"msg": msg}] {
container := input_containers[_]
not re_match(input.parameters.imageRegex, container.image)
msg := sprintf("Container image %v for container %v has not been allowed.", [container.image, container.name])
}
input_containers[c] {
c := input.review.object.spec.containers[_]
}
input_containers[c] {
c := input.review.object.spec.initContainers[_]
}