Image Registry Allowlist
See which registries Kupe allows and how audit-mode enforcement works.
Current enforcement mode
Section titled “Current enforcement mode”Audit mode. Your deploys work regardless of which registry you pull from, but the platform records every image’s registry for visibility. The data powers a platform dashboard the kupe team uses to understand which registries are in active use.
This mode may change to Enforce in the future. If it does, you’ll get at least 30 days’ advance notice, and the default allowlist will be large enough to cover the major public registries developers reach for. See Cluster Policies — audit vs enforce for the general policy.
Approved Registries
Section titled “Approved Registries”These are the registries currently on the default allowlist. If enforcement is ever flipped to blocking mode, these are the ones that continue to work without any action on your part:
| Registry | URL Pattern | Description |
|---|---|---|
| Docker Hub | docker.io/* | Docker Hub (official images + community) |
| GitHub Container Registry | ghcr.io/* | GitHub Packages — most upstream projects + your own ghcr.io/<org>/* |
| Red Hat Quay | quay.io/* | Red Hat, Prometheus/Grafana ecosystem, many Operator Hub images |
| Kubernetes | registry.k8s.io/* | Official Kubernetes images |
| Google public | gcr.io/* | Google-maintained public images — distroless, kaniko, etc. |
| Microsoft | mcr.microsoft.com/* | Microsoft — .NET, SQL Server, Azure SDKs |
| NVIDIA | nvcr.io/* | NVIDIA NGC — GPU / ML workloads |
| AWS public | public.ecr.aws/* | Amazon’s public ECR |
| Loft | loft-sh/* | vCluster system images (used internally by the platform) |
This list covers roughly 95% of the public open-source container ecosystem.
Requesting Additional Registries
Section titled “Requesting Additional Registries”The registry policy is in audit mode, so you don’t need to request anything to get a deploy through right now. If you want the platform team to add a registry to the allowlist anyway (for a future enforce-mode cutover, or for compliance reporting on your team’s behalf):
- Open a support request via the console or email support@kupe.cloud
- Include:
- The registry URL (e.g.,
your-company.jfrog.io/*) - Why the registry is needed
- Whether it applies to one cluster or all your clusters
- The registry URL (e.g.,
- The platform team reviews and adds it to the policy
Private team registries like your GitHub Container Registry at
ghcr.io/<your-org>/* are already covered by the top-level ghcr.io/*
wildcard — no action needed.
What’s still blocked (unchanged)
Section titled “What’s still blocked (unchanged)”Audit mode on registries does not loosen any other policy. You still get rejected for running privileged containers, using hostNetwork, missing resource limits, or running as root inside a tenant namespace — see Cluster policies for the full set.
Best Practices
Section titled “Best Practices”- Pin image tags to specific versions or digests for production workloads
- Use private registries (GHCR, ECR, GCR) for proprietary images
- Scan images before deploying — Kupe Cloud runs continuous vulnerability scanning via Trivy Operator, and results are visible in your cluster
- Avoid untrusted community images — prefer official images from known publishers