Restricting allowed images with ImageAllowlist policy

The ImageAllowlist is an important and special policy that deserves dedicated explanation. When this policy is active in a cluster, then any container will only be allowed to run if the specified image is on a pre-defined allowlist. The allowlist can be maintained on a global (cluster) level or individually for each namespace. If an image matches one of the registries/images (defined either globally or for the namespace it is deployed to) no violation is reported.

Maintaining allowed images

You can either allow individual images or every image from a trusted registry. When specifying individual images you can also restrict the use to specific image tags.

To add images to the global allowlist, locate the file constraints/imageallowlist-constraint.yaml in the directory where the policies are stored in your GitOps repository. Modify the fields spec.parameters.trustedregistries and spec.parameters.trustedregistries as required. See the example below for an idea on how to use it:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ImageAllowlist
metadata:
  name: imageallowlist
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
    argocd.argoproj.io/sync-wave: "-100"
spec:
  parameters:
    trustedregistries:
      - trusted.registry.com
      - another.registry.com/my-repo
    trustedimages:
      - registry.com/repo/trusted-image
      - trusted-image
      - trusted-image-with-version:v1.0
  [...]

The allowlist on individual namespaces works in a similar fashion. You specify the allowed images/registries as an annotation directly on the Namespace object:

apiVersion: v1
kind: Namespace
metadata:
  name: my-namespacce
  annotations:
    securitytower.io/imageallowlist.trustedregistries: >-
      trusted.registry.com
      another.registry.com/my-repo
    securitytower.io/imageallowlist.trustedimages: >-
      registry.com/repo/trusted-image
      trusted-image
      trusted-image-with-version:v1.0

NOTE: To provide correct Pull Request feedback, Syncier Security Tower must be able to find the namespace definitions in the GitOps repository. Make sure to add the location(s) of the namespace definitions to your cluster configuration.

Image Management

Syncier Security Tower provides a dedicated screen where you can see which images are used in your clusters. It also shows the images on the allowlist, and provides an overview of Risk Acceptances and violations.