- name: execution-denied
onResources:
- resource: pods
- resource: builds
reject: true
matchImageAnnotations:
- key: images.openshift.io/deny-execution (1)
value: "true"
skipOnResolutionFailure: true
×
Image Policy
Overview
You can control which images are allowed to run on your cluster using the ImagePolicy admission plug-in (currently considered beta). It allows you to control:
-
The source of images: which registries can be used to pull images
-
Image resolution: force pods to run with immutable digests to ensure the image does not change due to a re-tag
-
Container image label restrictions: force an image to have or not have particular labels
-
Image annotation restrictions: force an image in the integrated container registry to have or not have particular annotations
Configuring the ImagePolicy Admission Plug-in
To configure which images can run on your cluster, configure the ImagePolicy
Admission plug-in in the master-config.yaml file. You can set one or more
rules as required.
-
Reject images with a particular annotation:
Use this rule to reject all images that have a specific annotation set on them. The following rejects all images using the
images.openshift.io/deny-executionannotation:1 If a particular image has been deemed harmful, administrators can set this annotation to flag those images. -
Enable user to run images from Docker Hub:
Use this rule to allow users to use images from Docker Hub:
- name: allow-images-from-dockerhub onResources: - resource: pods - resource: builds matchRegistries: - docker.io
Following is an example configuration for setting multiple ImagePolicy
addmission plugin rules in the master-config.yaml file:
Annotated Example File
admissionConfig:
pluginConfig:
openshift.io/ImagePolicy:
configuration:
kind: ImagePolicyConfig
apiVersion: v1
resolveImages: AttemptRewrite (1)
executionRules: (2)
- name: execution-denied
# Reject all images that have the annotation images.openshift.io/deny-execution set to true.
# This annotation may be set by infrastructure that wishes to flag particular images as dangerous
onResources: (3)
- resource: pods
- resource: builds
reject: true (4)
matchImageAnnotations: (5)
- key: images.openshift.io/deny-execution
value: "true"
skipOnResolutionFailure: true (6)
- name: allow-images-from-internal-registry
# allows images from the internal registry and tries to resolve them
onResources:
- resource: pods
- resource: builds
matchIntegratedRegistry: true
- name: allow-images-from-dockerhub
onResources:
- resource: pods
- resource: builds
matchRegistries:
- docker.io
resolutionRules: (7)
- targetResource:
resource: pods
localNames: true
policy: AttemptRewrite
- targetResource: (8)
group: batch
resource: jobs
localNames: true (9)
policy: AttemptRewrite| 1 | Try to resolve images to an immutable image digest and update the image pull specification in the pod. |
| 2 | Array of rules to evaluate against incoming resources. If you only have
reject: true rules, the default is allow all. If you have any accept rule,
that is reject: false in any of the rules, the default behaviour of the
ImagePolicy switches to deny-all. |
| 3 | Indicates which resources to enforce rules upon. If nothing is specified, the default is pods. |
| 4 | Indicates that if this rule matches, the pod should be rejected. |
| 5 | List of annotations to match on the image object’s metadata. |
| 6 | If you are not able to resolve the image, do not fail the pod. |
| 7 | Array of rules allowing use of image streams in Kubernetes resources. The default configuration allows pods, replicationcontrollers, replicasets, statefulsets, daemonsets, deployments, and jobs to use same-project image stream tag references in their image fields. |
| 8 | Identifies the group and resource to which this rule applies. If resource is
*, this rule will apply to all resources in that group. |
| 9 | LocalNames will allow single segment names (for example, ruby:2.4) to
be interpreted as namespace-local image stream tags, but only if the resource or
target image stream has
local name resolution enabled. |
|
If you normally rely on infrastructure images being pulled using a default
registry prefix (such as docker.io or registry.access.redhat.com), those
images will not match to any |
Testing the ImagePolicy Admission Plug-in
-
Use the
openshift/image-policy-checkto test your configuration.For example, use the information above, then test like this:
oc import-image openshift/image-policy-check:latest --confirm
-
Create a pod using this YAML. The pod should be created.
apiVersion: v1 kind: Pod metadata: generateName: test-pod spec: containers: - image: docker.io/openshift/image-policy-check:latest name: first -
Create another pod pointing to a different registry. The pod should be rejected.
apiVersion: v1 kind: Pod metadata: generateName: test-pod spec: containers: - image: different-registry/openshift/image-policy-check:latest name: first -
Create a pod pointing to the internal registry using the imported image. The pod should be created and if you look at the image specification, you should see a digest in place of the tag.
apiVersion: v1 kind: Pod metadata: generateName: test-pod spec: containers: - image: <internal registry IP>:5000/<namespace>/image-policy-check:latest name: first -
Create a pod pointing to the internal registry using the imported image. The pod should be created and if you look at the image specification, you should see the tag unmodified.
apiVersion: v1 kind: Pod metadata: generateName: test-pod spec: containers: - image: <internal registry IP>:5000/<namespace>/image-policy-check:v1 name: first -
Get the digest from
oc get istag/image-policy-check:latestand use it foroc annotate images/<digest> images.openshift.io/deny-execution=true. For example:$ oc annotate images/sha256:09ce3d8b5b63595ffca6636c7daefb1a615a7c0e3f8ea68e5db044a9340d6ba8 images.openshift.io/deny-execution=true
-
Create this pod again, and you should see the pod rejected:
apiVersion: v1 kind: Pod metadata: generateName: test-pod spec: containers: - image: <internal registry IP>:5000/<namespace>/image-policy-check:latest name: first