Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/default/allowed was blocked due to the following policies
allowed-image-repos:
good-repos: 'All images in this Pod must come from an authorized repository.
After that create a policy file with below contents
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: allowed-image-repos
annotations:
policies.kyverno.io/title: Allowed Image Repositories
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
In addition to restricting the image registry from which images are pulled, in some cases
and environments it may be required to also restrict which image repositories are used,
for example in some restricted Namespaces. This policy ensures that the only allowed
image repositories present in a given Pod, across any container type, come from the
designated list.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: good-repos
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
All images in this Pod must come from an authorized repository.
deny:
conditions:
all:
- key: "{{ images.[containers, initContainers, ephemeralContainers][].*.name[] }}"
operator: AnyNotIn
value:
- "gcr.io/datadoghq/agent"
After that create the policy by running kubectl apply -f .yml
Since it is using correct image , the pod should be created. And if I change the image to something else it should fail . That is the expected but its not happening unfortunately
Expected behavior
Pod should get created if right image is used and policy report should show the count of Pass as 1.
Kyverno Version
1.12
Kubernetes Version
1.29
Kubernetes Platform
Minikube
Description
I referred one policy from https://kyverno.io/policies/other/allowed-image-repos/allowed-image-repos/ and tried testing on minikube setup on my Mac book. I was setting the policy in Enforce mode and even after putting right image in the pod definition , it gives me below error.
Steps to reproduce
Since it is using correct image , the pod should be created. And if I change the image to something else it should fail . That is the expected but its not happening unfortunately
Expected behavior
Pod should get created if right image is used and policy report should show the count of Pass as 1.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting