As a DevOps engineer for a financial organization, you're tasked with setting up an automated CI/CD pipeline to deploy applications to GKE clusters in production. A key requirement is to restrict the types and sources of container images that can be deployed. How would you implement this restriction?