---
openshift_master_admission_plugin_config:
  openshift.io/ImagePolicy:
    configuration:
      kind: ImagePolicyConfig
      apiVersion: v1
      # To require that all images running on the platform be imported first, you may uncomment the
      # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it
      # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that
      # digest has been imported via the import-image flow.
      #resolveImages: Required
      executionRules:
      - name: execution-denied
        # Reject all images that have the annotation images.openshift.io/deny-execution set to true.
        # This annotation may be set by infrastructure that wishes to flag particular images as dangerous
        onResources:
        - resource: pods
        - resource: builds
        reject: true
        matchImageAnnotations:
        - key: images.openshift.io/deny-execution
          value: "true"
        skipOnResolutionFailure: true