Restrict Container Images
You can specify image URLs in a workspace to restrict access to those images for specific namespaces. Restricted images cannot be loaded into any cluster in the namespaces you specify.
Access control to images is achieved using Kyverno policies. For more information about Kyverno, refer to Kyverno documentation.
Prerequisites
-
An active Palette workspace. Refer to Create a Workspace to learn how to create one.
-
You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to Permissions.
Restrict Container Image
-
Log in to Palette.
-
In the drop-down Menu at the top of the page, choose the project that has your workspace.
-
On the left Main Menu, click Workspaces.
-
Click on the workspace you want to delete.
-
In the upper-right corner, click Settings.
-
Click Container Images.
-
Enter the namespace you want to restrict image access for. Then enter the images by tag, separated by commas.
-
Click Save Changes.
Validate
-
Connect to a cluster in your workspace using kubectl. For more information, refer to Access Cluster with kubectl.
-
Issue the following command to view the Kyverno policy used to control image access.
kubectl describe cpol cluster-policy-palette-system -
Check under
spec.rules.preconditionsandspec.rules.validate. Confirm that the matching namespaces have restricted the container images from loading.