Conftest Policy for Kubernetes manifests for checking that images come from a specific registry

Question

I'm using conftest for validating policies on Kubernetes manifests.

Below policy validates that images in StatefulSet manifests have to come from specific registry reg_url

package main

deny[msg] {
  input.kind == "StatefulSet"
  not regex.match("[reg_url]/.+", input.spec.template.spec.initContainers[0].image)

  msg := "images come from artifactory"
}

Is there a way to enforce such policy for all kubernetes resources that have image field somewhere in their description? This may be useful for policy validation on all helm chart manifests, for instance.

I'm looking for something like:

package main

deny[msg] {
  input.kind == "*" // all resources
  not regex.match("[reg_url]/.+", input.*.image) // any nested image field

  msg := "images come from artifactory"
}

score 1 · Answer 1 · answered Sep 25 '22 at 20:21

You could do this using something like the walk built-in function. However, I would recommend against it, because:

You'd need to scan every attribute of every request/resource (expensive).
You can't know for sure that e.g. "image" means the same thing across all current and future resouce manifests, including CRDs.

I'd probably just stick with checking for a match of resource kind here, and include any resource type known to have an image attribute with a shared meaning.

Conftest Policy for Kubernetes manifests for checking that images come from a specific registry

1 Answers1