Add an image registry policy that restricts the images that can be pulled for deployment in your managed namespaces.

Prerequisites

Log in to the Tanzu Mission Control console, go to the Policies page and view the image registry policies for the object, as described in View the Policy Assignments for an Object.

Make sure you have the appropriate permissions.
  • To create an image registry policy for an object, you must be associated with the .admin role for that object.

Procedure

  1. On the Policies page, click the Image registry tab, and then click the Workspaces organization view.
  2. Use the tree control to navigate to and select the object for which you want to create an image registry policy.
  3. Click Create Image Registry Policy.
  4. Select the recipe you want to use.
    • The Allow Registry recipe is deprecated. You can replace existing policies that use this recipe with a new policy using the Custom recipe with a hostname rule.
    • The Block latest tag recipe prevents the use of images that are tagged latest.
    • The Require Digest recipe prevents the use of images that do not have a digest.
    • The Name-Tag allowlist recipe allows you to create rules using an image name or tag name or both.
    • The Custom recipe allows you to create rules using multiple factors.
  5. Provide a policy name.
  6. Specify the details for the selected recipe (if required).
    The Block latest tag and Require Digest recipes do not require any further specification.

    The Name-Tag allowlist and Custom recipes allow you to create multiple rules using a combination of options. Only the options that you specify are restricted by the rule. You can create multiple rules.

    Make sure you click Add Another Rule for each rule that you define.

  7. You can optionally provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
    For more information about how label selectors work, see Policy-Driven Cluster Management in VMware Tanzu Mission Control Concepts.
  8. Click Create Policy.

Results

When you click Create Policy, the new image registry policy is applied to the object and is displayed on the Policies page.