Annotate Base Images

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: annotate-base-images
 5  annotations:
 6    policies.kyverno.io/title: Annotate Base Images
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.7.0
10    policies.kyverno.io/minversion: 1.7.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      A base image used to construct a container image is not accessible
15      by any Kubernetes component and not a field in a Pod spec as it must
16      be fetched from a registry. Having this information available in the resource
17      referencing the containers helps to provide a clearer understanding of
18      its contents. This policy adds an annotation to a Pod or its controllers
19      with the base image used for each container if present in an OCI annotation.      
20spec:
21  rules:
22  - name: mutate-base-image
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    preconditions:
29      all:
30      - key: "{{request.operation || 'BACKGROUND'}}"
31        operator: NotEquals
32        value: DELETE
33    mutate:
34      foreach:
35      - list: "request.object.spec.containers"
36        context:
37        - name: imageData
38          imageRegistry: 
39            reference: "{{ element.image }}"
40        - name: basename
41          variable:
42            jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"
43            default: ''
44        patchesJson6902: |-
45          - path: "/metadata/annotations/kyverno.io~1baseimages{{elementIndex}}"
46            op: add
47            value: "{{basename}}"