Annotate Base Images

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: annotate-base-images
 5  annotations:
 6    policies.kyverno.io/title: Annotate Base Images
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    pod-policies.kyverno.io/autogen-controllers: none
10    kyverno.io/kyverno-version: 1.7.0
11    policies.kyverno.io/minversion: 1.7.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/subject: Pod
14    policies.kyverno.io/description: >-
15      A base image used to construct a container image is not accessible
16      by any Kubernetes component and not a field in a Pod spec as it must
17      be fetched from a registry. Having this information available in the resource
18      referencing the containers helps to provide a clearer understanding of
19      its contents. This policy adds an annotation to a Pod or its controllers
20      with the base image used for each container if present in an OCI annotation.
21spec:
22  rules:
23  - name: mutate-base-image
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: NotEquals
33        value: DELETE
34    mutate:
35      foreach:
36      - list: "request.object.spec.containers"
37        context:
38        - name: imageData
39          imageRegistry: 
40            reference: "{{ element.image }}"
41        - name: basename
42          variable:
43            jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"
44            default: ''
45        patchesJson6902: |-
46          - path: "/metadata/annotations/kyverno.io~1baseimages{{elementIndex}}"
47            op: add
48            value: "{{basename}}"