diff --git a/artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml index a0c03d51f..79417e079 100644 --- a/artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8sallowedrepos displayName: Allowed Repositories createdAt: "2023-10-30T20:59:57Z" description: Requires container images to begin with a string from the specified list. -digest: eaff16a982c2d3029b280b3d4061d82b55215ac648efaafa341e25c7c77b635f +digest: 1ee1bb4b4fb6128bdcd6bd84c81d1d1e02b4b9c0f9bd3eb85f9fd30e82742dd1 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allowedrepos keywords: diff --git a/artifacthub/library/general/allowedrepos/1.0.1/template.yaml b/artifacthub/library/general/allowedrepos/1.0.1/template.yaml index 3c554d8e7..d352cf141 100644 --- a/artifacthub/library/general/allowedrepos/1.0.1/template.yaml +++ b/artifacthub/library/general/allowedrepos/1.0.1/template.yaml @@ -7,6 +7,8 @@ metadata: metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires container images to begin with a string from the specified list. + To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. + If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy. spec: crd: spec: diff --git a/library/general/allowedrepos/template.yaml b/library/general/allowedrepos/template.yaml index 3c554d8e7..d352cf141 100644 --- a/library/general/allowedrepos/template.yaml +++ b/library/general/allowedrepos/template.yaml @@ -7,6 +7,8 @@ metadata: metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires container images to begin with a string from the specified list. + To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. + If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy. spec: crd: spec: diff --git a/src/general/allowedrepos/constraint.tmpl b/src/general/allowedrepos/constraint.tmpl index 8f0b53fd3..1e8bfce0b 100644 --- a/src/general/allowedrepos/constraint.tmpl +++ b/src/general/allowedrepos/constraint.tmpl @@ -7,6 +7,8 @@ metadata: metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires container images to begin with a string from the specified list. + To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. + If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy. spec: crd: spec: diff --git a/website/docs/validation/allowedrepos.md b/website/docs/validation/allowedrepos.md index fc56e04fc..b9d70046d 100644 --- a/website/docs/validation/allowedrepos.md +++ b/website/docs/validation/allowedrepos.md @@ -6,7 +6,7 @@ title: Allowed Repositories # Allowed Repositories ## Description -Requires container images to begin with a string from the specified list. +Requires container images to begin with a string from the specified list. To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy. ## Template ```yaml @@ -19,6 +19,8 @@ metadata: metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires container images to begin with a string from the specified list. + To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. + If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy. spec: crd: spec: