fix pols for 1.18

2026-05-14 18:55:39 +07:00
parent 5578400e7f
commit ffa61ab646
19 changed files with 266 additions and 180 deletions
@@ -31,24 +31,22 @@ spec:
      configMap:
        name: external-data-cache
        namespace: kyverno
+    - name: allowedPattern
+      variable:
+        value: >-
+          {{ join('', ['^(', join('|', split(allowedRegistries.data.\"allowed-registries\", '\n')[?@ != '']), ')']) }}
    validate:
-      message: >-
-        Образ '{{ element.image }}' из недоверенного реестра.
-        Список разрешённых реестров (обновлён {{ allowedRegistries.data.\"last-updated\" }}):
-        {{ allowedRegistries.data.\"allowed-registries\" }}
      foreach:
      - list: >-
          request.object.spec.containers[] |
          merge(request.object.spec.initContainers[] || `[]`, @)
+        message: >-
+          Образ '{{ element.image }}' из недоверенного реестра.
+          Список разрешённых реестров (обновлён {{ allowedRegistries.data.\"last-updated\" }}):
+          {{ allowedRegistries.data.\"allowed-registries\" }}
        deny:
          conditions:
            all:
-            - key: "{{ element.image }}"
-              operator: NotStartsWith
-              value: "registry.company.com/"
-            - key: "{{ element.image }}"
-              operator: NotStartsWith
-              value: "gcr.io/company-project/"
-            - key: "{{ element.image }}"
-              operator: NotStartsWith
-              value: "public.ecr.aws/company/"
+            - key: "{{ regex_match(allowedPattern, element.image) }}"
+              operator: Equals
+              value: false