Is it possible to restrict download access to unapproved Docker images? (Whitelist?)

Is it possible to set-up/configure Docker on macOS so that only either whitelisted registries, or whitelisted images/containers can be downloaded?

You could write your own policies with OPA and enforce them. I never used OPA, but according Docs, the image field is transported to the policy engine and you should be able to use the build-in function startswith(string, search) to check wether the string for the image starts with the fqdn of a whitelisted registry.

At least it’s worth a try.