blob: a89f48afa5f960032ab2d9a8f7fb91ded5f3a023 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
---
openshift_master_admission_plugin_config:
openshift.io/ImagePolicy:
configuration:
kind: ImagePolicyConfig
apiVersion: v1
# To require that all images running on the platform be imported first, you may uncomment the
# following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it
# unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that
# digest has been imported via the import-image flow.
#resolveImages: Required
executionRules:
- name: execution-denied
# Reject all images that have the annotation images.openshift.io/deny-execution set to true.
# This annotation may be set by infrastructure that wishes to flag particular images as dangerous
onResources:
- resource: pods
- resource: builds
reject: true
matchImageAnnotations:
- key: images.openshift.io/deny-execution
value: "true"
skipOnResolutionFailure: true
|