I'm trying to configure a policy called "Kubernetes cluster containers should only use allowed images". The policy is installed with terraform:
policy_definition_reference {
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469"
reference_id = "Kubernetes cluster containers should only use allowed images"
parameter_values = <<VALUE
{
"effect": {"value": "[parameters('policyEffect')]"},
"allowedContainerImagesRegex": {"value": "[parameters('allowedContainerImagesRegex')]"}
}
VALUE
}
The actual parameters provided in json config files for each given azure subscription. It works properly this way for all other polices we have.
My regex for allowedContainerImagesRegex is:
"allowedContainerImagesRegex": {
"value": "^([^\\/]+\\.azurecr\\.io|quay\\.io|ghcr\\.io|mcr\\.microsoft\\.com|rapid7|pypiserver|selenium|rancher|flux|pypiserver)\\/.+$"
}
it seems to be working for azurecr, as the policy compliance report doesn't contain any images installed from our azure container registries. However, it doesn't work for all other registries, for example, it complains about pypiserver/pypiserver:latest, which allegedly should be covered by the above regex.
What is interesting, is that the azure defender complains even about images from azure container registry too, as if it is not based upon the same policy compliance results.
Honestly, I can't wrap my head around this problem, any suggestions appreciated.
Many thanks in advance!