apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: block-large-images annotations: policies.kyverno.io/title: Block Large Images policies.kyverno.io/category: Other policies.kyverno.io/severity: medium kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Pods which run containers of very large image size take longer to pull and require more space to store. A user may either inadvertently or purposefully name an image which is unusually large to disrupt operations. This policy checks the size of every container image and blocks if it is over 2 Gibibytes. spec: validationFailureAction: audit rules: - name: block-over-twogi match: any: - resources: kinds: - Pod preconditions: all: - key: "{{request.operation || 'BACKGROUND'}}" operator: NotEquals value: DELETE validate: message: "images with size greater than 2Gi not allowed" foreach: - list: "request.object.spec.containers" context: - name: imageSize imageRegistry: reference: "{{ element.image }}" # Note that we need to use `to_string` here to allow kyverno to treat it like a resource quantity of type memory # the total size of an image as calculated by docker is the total sum of its layer sizes jmesPath: "to_string(sum(manifest.layers[*].size))" deny: conditions: all: - key: "2Gi" operator: LessThan value: "{{imageSize}}"