Require Image Source

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-image-source
 5  annotations:
 6    policies.kyverno.io/title: Require Image Source
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.7.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Images can be built from a variety of source control locations and
15      the name does not necessarily indicate this mapping. Ensuring that known good
16      repositories are the source of images helps ensure supply chain security. This
17      policy checks the container images and ensures that they specify the source in
18      either a label `org.opencontainers.image.source` or a newer annotation in the
19      manifest of the same name.      
20spec:
21  validationFailureAction: audit
22  rules:
23  - name: check-source
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: NotEquals
33        value: DELETE
34    validate:
35      message: "The image source must be specified in a label or annotation."
36      foreach:
37      - list: "request.object.spec.containers"
38        context: 
39        - name: imageData
40          imageRegistry: 
41            reference: "{{ element.image }}"
42            jmesPath: "{labels: configData.config.Labels, annotations: manifest.annotations}"
43        deny:
44          conditions:
45            all:
46              - key: "{{ imageData.labels.\"org.opencontainers.image.source\" || '' }}"
47                operator: NotEquals
48                value: "*?"
49              - key: "{{ imageData.annotations.\"org.opencontainers.image.source\" || '' }}"
50                operator: NotEquals
51                value: "*?"