Add allowedreposv2 policy and update documentation

open-policy-agent · Dec 17, 2024 · 6078050 · 6078050
1 parent 95673bd
commit 6078050
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 2 deletions.
diff --git a/artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml
@@ -3,7 +3,7 @@ name: k8sallowedrepos
 displayName: Allowed Repositories
 createdAt: "2023-10-30T20:59:57Z"
 description: Requires container images to begin with a string from the specified list.
-digest: eaff16a982c2d3029b280b3d4061d82b55215ac648efaafa341e25c7c77b635f
+digest: 1ee1bb4b4fb6128bdcd6bd84c81d1d1e02b4b9c0f9bd3eb85f9fd30e82742dd1
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allowedrepos
 keywords:

diff --git a/artifacthub/library/general/allowedrepos/1.0.1/template.yaml b/artifacthub/library/general/allowedrepos/1.0.1/template.yaml
@@ -7,6 +7,8 @@ metadata:
     metadata.gatekeeper.sh/version: 1.0.1
     description: >-
       Requires container images to begin with a string from the specified list.
+      To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries.
+      If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
 spec:
   crd:
     spec:

diff --git a/library/general/allowedrepos/template.yaml b/library/general/allowedrepos/template.yaml
@@ -7,6 +7,8 @@ metadata:
     metadata.gatekeeper.sh/version: 1.0.1
     description: >-
       Requires container images to begin with a string from the specified list.
+      To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries.
+      If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
 spec:
   crd:
     spec:

diff --git a/src/general/allowedrepos/constraint.tmpl b/src/general/allowedrepos/constraint.tmpl
@@ -7,6 +7,8 @@ metadata:
     metadata.gatekeeper.sh/version: 1.0.1
     description: >-
       Requires container images to begin with a string from the specified list.
+      To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries.
+      If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
 spec:
   crd:
     spec:

diff --git a/website/docs/validation/allowedrepos.md b/website/docs/validation/allowedrepos.md
@@ -6,7 +6,7 @@ title: Allowed Repositories
 # Allowed Repositories
 
 ## Description
-Requires container images to begin with a string from the specified list.
+Requires container images to begin with a string from the specified list. To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
 
 ## Template
 ```yaml
@@ -19,6 +19,8 @@ metadata:
     metadata.gatekeeper.sh/version: 1.0.1
     description: >-
       Requires container images to begin with a string from the specified list.
+      To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries.
+      If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
 spec:
   crd:
     spec: