I have a built-in Policy applied to an AKS Cluster that is primarly used for testing purposes (to check functionalities before they go to Prod clusters and potentially break something). The Policy in question is built-in:
https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469
The Regex that I applied basically should allow pulling images from major public registries and a private ACR only:
^([^/]+examplehub.azurecr.io|docker.io|hub.docker.com|quay.io|registry.k8s.io)/.+$
which also complies/extends to the example viewable in Azure Portal:
^([^/]+.azurecr.io|registry.io)/.+$
However, even after continued manual assertion from az cli with:
az policy state trigger-scan -g myresourcegroup
the Compliance state does not switch to "compliant". I extracted the exact container image pull path from the cluster using kubectl, and checked this against the Regex (with regexr.com) and it says its compliant, it would be matching. This is why I think my Regex is compliant.
Maybe someone can give me a hint?