Create and manage image registry policies on Tanzu Platform for Kubernetes

Define the registries from which images can be pulled for deployment in your managed namespaces on Tanzu Platform for Kubernetes. You can make the deployments to namespaces in your clusters more secure by restricting the image registries from which images can be pulled, as well as the images that can be pulled from a registry.

By default, Tanzu Platform for Kubernetes does not impose any such restriction, and allows you to manage image registry restrictions for projects, cluster groups, and clusters.

Before you begin

To create an image registry policy for an object, you must be associated with the .admin role for that object.

To confirm you have the correct permissions:

  1. Log in to Tanzu Platform hub.
  2. On the left navigation, click Operations Policies > Cluster Policies.
  3. Verify you have the appropriate permissions.

Create an image policy

Do the following to create an image policy in your project in Tanzu Platform hub:

  1. In the left navigation pane, scroll to Application Platform.
  2. Expand Kubernetes Operations.
  3. On the Cluster groups and Clusters page, use the tree control to navigate to and select the object for which you want to create an image policy.
  4. Click Create Policy.
  5. Select Image Registry.

  6. Provide a policy name.

    The Scope and Object name is auto generated based on the object you selected in the tree. Provide any of the following parameters:

    • Hostname and port
    • Image Name
    • Tags or Require Digests

    Make sure you click Add Rule for each rule that you define.

  7. Select the Enforcement action you want the policy to use.

    Enforcement action Description
    Deny (default) The policy is fully enforced.
    Requests that violate the policy are denied admission.
    Dry run The policy is not enforced.
    However, you can see the impact of the policy for testing. If this option is selected, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
    Warn Similar to Dry run, except that it provides immediate feedback when a potential denial occurs.

  8. (Optional) Provide label selectors to specify particular namespaces that you want to include or exclude for this policy.

  9. Click Create Policy.

    The policy is applied to the object and displayed on the Policies page.

check-circle-line exclamation-circle-line close-line
Scroll to top icon