diff --git a/.gitbook/assets/2.39-Restrict-sources.png b/.gitbook/assets/2.39-Restrict-sources.png
new file mode 100644
index 00000000..3e982205
Binary files /dev/null and b/.gitbook/assets/2.39-Restrict-sources.png differ
diff --git a/admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md b/admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md
index 320baa68..92128a48 100644
--- a/admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md
+++ b/admin/environments/policies/kubernetes-policies/kubernetes-registry-policy.md
@@ -24,4 +24,20 @@ Currently, only custom registry policies can be created. Future improvements to
 
 <figure><img src="../../../../.gitbook/assets/2.37-kubernetes-registry.png" alt=""><figcaption></figcaption></figure>
 
-Click **Add Access** to add the registry to the access list, multiple entries can be added. Each access added will show in the **Registry access list**. When you have finished adding access, click **Create policy**. A confirmation screen displays the changes being made and any existing policy that will be replaced. Click **Confirm** to acknowledge the changes and create the policy.
+Click **Add Access** to add the registry to the access list. You can add multiple entries, and each will appear in the **Registry access list** table. To remove a registry, select the checkbox next to the entry and click **Remove** in the top right corner of the table.
+
+To restrict deployment to approved container images only, enable **Restrict sources** and define the allowed images. You can set the scope to apply cluster-wide or limit it to specific namespaces.
+
+The **Allowed sources** list is pre-populated with common images, including those required for Portainer to operate.&#x20;
+
+| Field/Option        | Overview                                                                                                                                                                                                                                                                  |
+| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Restrict sources    | When enabled, Portainer creates a Kubernetes `ValidatingAdmissionPolicy` to ensure only container images from approved registries can be deployed. Any Pod that references an image from an unapproved source will be rejected at admission time and will not be created. |
+| Registry URL prefix | The container image or registry that is permitted for deployment.                                                                                                                                                                                                         |
+| Scope               | Specify whether the allowed access should apply cluster-wide (Global) or be restricted to selected [namespaces](../../../../user/kubernetes/namespaces/) only.                                                                                                            |
+
+<figure><img src="../../../../.gitbook/assets/2.39-Restrict-sources.png" alt=""><figcaption></figcaption></figure>
+
+Click **Add source** to add an image to the allowed sources list. You can add multiple entries, and each will appear in the **Allowed sources** table. To remove a source, select the checkbox next to the entry and click **Remove** in the top right corner of the table.
+
+When you have finished adding access, click **Create policy**. A confirmation screen displays the changes being made and any existing policy that will be replaced. Click **Confirm** to acknowledge the changes and create the policy.