 3c5fa979a4
			
		
	
	3c5fa979a4
	
	
	
		
			
			Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
		
			
				
	
	
		
			90 lines
		
	
	
		
			2.9 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			90 lines
		
	
	
		
			2.9 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| 
 | |
| .. uby1596554290953
 | |
| .. _portieris-clusterimagepolicy-and-imagepolicy-configuration:
 | |
| 
 | |
| ==========================================================
 | |
| Portieris ClusterImagePolicy and ImagePolicy Configuration
 | |
| ==========================================================
 | |
| 
 | |
| Portieris supports cluster-wide and namespace-specific image policies.
 | |
| 
 | |
| 
 | |
| .. _portieris-clusterimagepolicy-and-imagepolicy-configuration-section-cv5-2wk-4mb:
 | |
| 
 | |
| -----------
 | |
| ImagePolicy
 | |
| -----------
 | |
| 
 | |
| You can define Portieris' behavior in a namespace using an ImagePolicy. In
 | |
| namespaces where ImagePolicies exist, they are used exclusively. If they do
 | |
| not contain a match for the workload image being launched, then
 | |
| ClusterImagePolicies are not referenced. For deployed workloads, images are
 | |
| wildcard-matched against defined policies. If a policy matching the workload
 | |
| image is not found then deployment is denied. If there are multiple matches
 | |
| the most specific match is used.
 | |
| 
 | |
| 
 | |
| .. _portieris-clusterimagepolicy-and-imagepolicy-configuration-section-vmd-fwk-4mb:
 | |
| 
 | |
| ------------------
 | |
| ClusterImagePolicy
 | |
| ------------------
 | |
| 
 | |
| You configure a ClusterImagePolicies at the cluster level. It will be used
 | |
| if no ImagePolicy resource is defined in the namespace in which the workload
 | |
| will be deployed. These resources have the same structure as namespace
 | |
| ImagePolicies. Again, for deployed workloads, images are wildcard-matched
 | |
| against defined policies and deployment will be denied if no matching policy
 | |
| is found for an image. If there are multiple matches the most specific match
 | |
| is used.
 | |
| 
 | |
| 
 | |
| .. _portieris-clusterimagepolicy-and-imagepolicy-configuration-section-avq-x4r-4mb:
 | |
| 
 | |
| --------------
 | |
| Trust Policies
 | |
| --------------
 | |
| 
 | |
| You can specify a \[Cluster\]ImagePolicy to allow any image from a trusted
 | |
| repository\(s\) or only allow images with trust data from a repository in a
 | |
| registry+notary server
 | |
| 
 | |
| 
 | |
| .. _portieris-clusterimagepolicy-and-imagepolicy-configuration-ul-bjc-hpr-4mb:
 | |
| 
 | |
| -   This example allows any image from a trusted icr.io registry; i.e. an empty policy:
 | |
| 
 | |
|     .. code-block:: none
 | |
| 
 | |
|         apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
 | |
|         kind: ImagePolicy
 | |
|         metadata:
 | |
|           name: allow-all-icrio
 | |
|         spec:
 | |
|            repositories:
 | |
|             - name: "icr.io/*"
 | |
|               policy:
 | |
| 
 | |
| -   This example allows only images with valid trust data \(policy.trust.enabled=true\) from the icr.io registry + notary \(policy.trust.trustServer\) server.
 | |
| 
 | |
|     .. code-block:: none
 | |
| 
 | |
|         apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
 | |
|         kind: ImagePolicy
 | |
|         metadata:
 | |
|           name: allow-custom
 | |
|         spec:
 | |
|            repositories:
 | |
|             - name: "icr.io/*"
 | |
|               policy:
 | |
|                 trust:
 | |
|                   enabled: true
 | |
|                   trustServer: "https://icr.io:4443"
 | |
| 
 | |
| 
 | |
| 
 | |
| For additional details about policies, see
 | |
| `https://github.com/IBM/portieris/blob/master/POLICIES.md
 | |
| <https://github.com/IBM/portieris/blob/master/POLICIES.md>`__.
 | |
| 
 |