The ImageAllowlist is an important and special policy that deserves dedicated explanation. When this policy is active in a cluster, then any container will only be allowed to run if the specified image is on a pre-defined allowlist. The allowlist can be maintained on a global (cluster) level or individually for each namespace. If an image matches one of the registries/images (defined either globally or for the namespace it is deployed to) no violation is reported.
You can either allow individual images or every image from a trusted registry. When specifying individual images you can also restrict the use to specific image tags.
To add images to the global allowlist, locate the file
constraints/imageallowlist-constraint.yaml in the directory where the policies are stored in your GitOps repository.
Modify the fields
spec.parameters.trustedregistries as required.
See the example below for an idea on how to use it:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ImageAllowlist metadata: name: imageallowlist annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "-100" spec: parameters: trustedregistries: - trusted.registry.com - another.registry.com/my-repo trustedimages: - registry.com/repo/trusted-image - trusted-image - trusted-image-with-version:v1.0 [...]
The allowlist on individual namespaces works in a similar fashion.
You specify the allowed images/registries as an annotation directly on the
apiVersion: v1 kind: Namespace metadata: name: my-namespacce annotations: securitytower.io/imageallowlist.trustedregistries: >- trusted.registry.com another.registry.com/my-repo securitytower.io/imageallowlist.trustedimages: >- registry.com/repo/trusted-image trusted-image trusted-image-with-version:v1.0
NOTE: To provide correct Pull Request feedback, Syncier Security Tower must be able to find the namespace definitions in the GitOps repository. Make sure to add the location(s) of the namespace definitions to your cluster configuration.
Syncier Security Tower provides a dedicated screen where you can see which images are used in your clusters. It also shows the images on the allowlist, and provides an overview of Risk Acceptances and violations.