Add an image registry policy that restricts the images that can be pulled for deployment in your managed namespaces.


Log in to the Tanzu Mission Control console, go to the Policies page and view the image registry policies for the object, as described in View the Policy Assignments for an Object.

Make sure you have the appropriate permissions.
  • To create an image registry policy for an object, you must be associated with the .admin role for that object.


  1. On the Policies page, click the Image registry tab.
  2. Use the tree control to navigate to and select the object for which you want to create an image registry policy.
  3. Click Create Image Registry Policy.
  4. Select the recipe you want to use.
    • The Allow Registry recipe is deprecated. You can replace existing policies that use this recipe with a new policy using the Custom recipe with a hostname rule.
    • The Block latest tag recipe prevents the use of images that are tagged latest.
    • The Require Digest recipe prevents the use of images that do not have a digest.
    • The Name-Tag allowlist recipe allows you to create rules using an image name or tag name or both.
    • The Custom recipe allows you to create rules using multiple factors.
  5. Provide a policy name.
  6. Specify the details for the selected recipe (if required).
    The Block latest tag and Require Digest recipes do not require any further specification.

    The Name-Tag allowlist and Custom recipes allow you to create multiple rules using a combination of options. Only the options that you specify are restricted by the rule. You can create multiple rules.

    Make sure you click Add Another Rule for each rule that you define.

  7. You can optionally provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
    For more information about how label selectors work, see Policy-Driven Cluster Management in VMware Tanzu Mission Control Concepts.
  8. Select the Enforcement action you want the policy to use.
    • Deny (default) indicates the policy is fully enforced, denying admission requests with any violation.
    • Dry run indicates the policy is not enforced, but allows you to see the impact of the policy for testing. If this option is selected, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
    • Warn works like dry run, except that it provides immediate feedback when a potential denial occurs.
  9. Click Create Policy.


When you click Create Policy, the new image registry policy is applied to the object and is displayed on the Policies page.