Require Images Use Checksums #889
-
|
Is possible that kyverno automatically identifies the sha of the given image and check if it is whitelisted instead of forcing users to specify the sha digest? This will be helpful especially when the images are generated from helm charts. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 8 replies
-
|
Not quite sure what you're asking. You're referring to this policy, I presume, which only requires that an image be specified using its digest and not tag. If the digest isn't a valid digest, no image will be pulled. If you want to only allow digests from a whitelist, you can certainly do that in a separate rule/policy. |
Beta Was this translation helpful? Give feedback.
-
|
Not that I know of, but here are some resources to help: https://kyverno.io/docs/writing-policies/variables/#variables-from-container-images |
Beta Was this translation helpful? Give feedback.
-
|
i don't think these solutions are sufficient to compute the image digest on the fly. i'll explore for more options. |
Beta Was this translation helpful? Give feedback.
-
|
They are because Kyverno will automatically look up the digest for a tag and make that available in the variable. You can then take that variable and compare it against your whitelist which you store in, for example, a central ConfigMap. |
Beta Was this translation helpful? Give feedback.
-
|
@chipzoller I came across https://kyverno.io/policies/other/resolve-image-to-digest/resolve-image-to-digest/ policy which can get the digest from image tag. This solved my usecase. |
Beta Was this translation helpful? Give feedback.
@chipzoller I came across https://kyverno.io/policies/other/resolve-image-to-digest/resolve-image-to-digest/ policy which can get the digest from image tag. This solved my usecase.