You can specify specific public or private image registries that can be used with specific clusters in Cisco Panoptica. Panoptica will consider these registries, and the images pulled from them, as trusted. Workloads deployed from these registries will be designated as 'known'. Conversely, workloads deployed from other registries will be designated as 'unknown'.

The Panoptica Deployment Runtime Policy includes a default rule that applies to unknown workloads. You can set the action for this rule to Block the deployment, Detect them (allow the deployment, but record an audit event), or Allow them.

You can configure Panoptica clusters to check the registries from which images are pulled, and enforce the Runtime policy rule.

In this way, you can ensure that only images from trusted sources are deployed on your clusters.

Add a new trusted registry

Follow these steps to add a registry as trusted for a cluster in Panoptica.

1. Navigate to the Deployments page, and select REGISTRIES.
2. Click New Registry.

3. Enter the URL for the registry.
4. Enter the Panoptica clusters that can use this registry.
5. Click FINISH.

You can indicate more than one cluster for a registry. You can also define more than one registry as trusted for a specific cluster.

Configure a Cluster to check registry

Configure a Panoptica cluster to check the registry for images deployed on it. Enable the Restrict Registries option for the cluster. When this is enabled, workloads deployed on the cluster will be designated as 'unknown' if they from Registries that are not associated with the cluster. They will then be subject to the default Runtime Deployment Policy Unknown Workload rule.