starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/portieris-clusterimagepolicy-and-imagepolicy-configuration.rst
Ron Stone f125a8b892 Remove spurious escapes (r8,dsR8) 
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
2023-03-01 11:19:04 +00:00

2.9 KiB
Raw Blame History

Portieris ClusterImagePolicy and ImagePolicy Configuration

Portieris supports cluster-wide and namespace-specific image policies.

ImagePolicy

You can define Portieris' behavior in a namespace using an ImagePolicy. In namespaces where ImagePolicies exist, they are used exclusively. If they do not contain a match for the workload image being launched, then ClusterImagePolicies are not referenced. For deployed workloads, images are wildcard-matched against defined policies. If a policy matching the workload image is not found then deployment is denied. If there are multiple matches the most specific match is used.

ClusterImagePolicy

You configure a ClusterImagePolicies at the cluster level. It will be used if no ImagePolicy resource is defined in the namespace in which the workload will be deployed. These resources have the same structure as namespace ImagePolicies. Again, for deployed workloads, images are wildcard-matched against defined policies and deployment will be denied if no matching policy is found for an image. If there are multiple matches the most specific match is used.

Trust Policies

You can specify a [Cluster]ImagePolicy to allow any image from a trusted repository(s) or only allow images with trust data from a repository in a registry+notary server

  • This example allows any image from a trusted icr.io registry; i.e. an empty policy:

    apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: ImagePolicy
metadata:
  name: allow-all-icrio
spec:
   repositories:
    - name: "icr.io/*"
      policy:

  • This example allows only images with valid trust data (policy.trust.enabled=true) from the icr.io registry + notary (policy.trust.trustServer) server.

    apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: ImagePolicy
metadata:
  name: allow-custom
spec:
   repositories:
    - name: "icr.io/*"
      policy:
        trust:
          enabled: true
          trustServer: "https://icr.io:4443"

For additional details about policies, see https://github.com/IBM/portieris/blob/master/POLICIES.md.