Skip to content

Image Registry Allowlist

See which registries Kupe allows and how audit-mode enforcement works.

Audit mode. Your deploys work regardless of which registry you pull from, but the platform records every image’s registry for visibility. The data powers a platform dashboard the kupe team uses to understand which registries are in active use.

This mode may change to Enforce in the future. If it does, you’ll get at least 30 days’ advance notice, and the default allowlist will be large enough to cover the major public registries developers reach for. See Cluster Policies — audit vs enforce for the general policy.

These are the registries currently on the default allowlist. If enforcement is ever flipped to blocking mode, these are the ones that continue to work without any action on your part:

RegistryURL PatternDescription
Docker Hubdocker.io/*Docker Hub (official images + community)
GitHub Container Registryghcr.io/*GitHub Packages — most upstream projects + your own ghcr.io/<org>/*
Red Hat Quayquay.io/*Red Hat, Prometheus/Grafana ecosystem, many Operator Hub images
Kubernetesregistry.k8s.io/*Official Kubernetes images
Google publicgcr.io/*Google-maintained public images — distroless, kaniko, etc.
Microsoftmcr.microsoft.com/*Microsoft — .NET, SQL Server, Azure SDKs
NVIDIAnvcr.io/*NVIDIA NGC — GPU / ML workloads
AWS publicpublic.ecr.aws/*Amazon’s public ECR
Loftloft-sh/*vCluster system images (used internally by the platform)

This list covers roughly 95% of the public open-source container ecosystem.

The registry policy is in audit mode, so you don’t need to request anything to get a deploy through right now. If you want the platform team to add a registry to the allowlist anyway (for a future enforce-mode cutover, or for compliance reporting on your team’s behalf):

  1. Open a support request via the console or email support@kupe.cloud
  2. Include:
    • The registry URL (e.g., your-company.jfrog.io/*)
    • Why the registry is needed
    • Whether it applies to one cluster or all your clusters
  3. The platform team reviews and adds it to the policy

Private team registries like your GitHub Container Registry at ghcr.io/<your-org>/* are already covered by the top-level ghcr.io/* wildcard — no action needed.

Audit mode on registries does not loosen any other policy. You still get rejected for running privileged containers, using hostNetwork, missing resource limits, or running as root inside a tenant namespace — see Cluster policies for the full set.

  • Pin image tags to specific versions or digests for production workloads
  • Use private registries (GHCR, ECR, GCR) for proprietary images
  • Scan images before deploying — Kupe Cloud runs continuous vulnerability scanning via Trivy Operator, and results are visible in your cluster
  • Avoid untrusted community images — prefer official images from known publishers