centersl/portainer-docs
1
0
Fork 0
mirror of https://github.com/portainer/portainer-docs.git synced 2026-03-27 04:48:31 +07:00
Code Issues Packages Projects Releases Wiki Activity

GITBOOK-11: R8S-809: Restrict sources on K8s registry policy

Browse Source
This commit is contained in:
Hannah Cooper
2026-02-23 21:57:05 +00:00
committed by gitbook-bot
parent d3df186f79
commit 5f78460ef8
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/2.39-Restrict-sources.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

18
admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md
View File

@@ -24,4 +24,20 @@ Currently, only custom registry policies can be created. Future improvements to
<figure><img src="../../../../.gitbook/assets/2.37-kubernetes-registry.png" alt=""><figcaption></figcaption></figure>
Click **Add Access** to add the registry to the access list, multiple entries can be added. Each access added will show in the **Registry access list**. When you have finished adding access, click **Create policy**. A confirmation screen displays the changes being made and any existing policy that will be replaced. Click **Confirm** to acknowledge the changes and create the policy.
Click **Add Access** to add the registry to the access list. You can add multiple entries, and each will appear in the **Registry access list** table. To remove a registry, select the checkbox next to the entry and click **Remove** in the top right corner of the table.
To restrict deployment to approved container images only, enable **Restrict sources** and define the allowed images. You can set the scope to apply cluster-wide or limit it to specific namespaces.
The **Allowed sources** list is pre-populated with common images, including those required for Portainer to operate.&#x20;
| Field/Option | Overview |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Restrict sources | When enabled, Portainer creates a Kubernetes `ValidatingAdmissionPolicy` to ensure only container images from approved registries can be deployed. Any Pod that references an image from an unapproved source will be rejected at admission time and will not be created. |
| Registry URL prefix | The container image or registry that is permitted for deployment. |
| Scope | Specify whether the allowed access should apply cluster-wide (Global) or be restricted to selected [namespaces](../../../../user/kubernetes/namespaces/) only. |
<figure><img src="../../../../.gitbook/assets/2.39-Restrict-sources.png" alt=""><figcaption></figcaption></figure>
Click **Add source** to add an image to the allowed sources list. You can add multiple entries, and each will appear in the **Allowed sources** table. To remove a source, select the checkbox next to the entry and click **Remove** in the top right corner of the table.
When you have finished adding access, click **Create policy**. A confirmation screen displays the changes being made and any existing policy that will be replaced. Click **Confirm** to acknowledge the changes and create the policy.