diff --git a/etc/zun/policy.json b/etc/zun/policy.json
index f45678fd8..ee7b39de5 100644
--- a/etc/zun/policy.json
+++ b/etc/zun/policy.json
@@ -1,11 +1,6 @@
 {
     "default": "rule:admin_or_owner",
 
-    "image:pull": "rule:default",
-    "image:get_all": "rule:default",
-    "image:search": "rule:default",
-
-
     "zun-service:delete": "rule:admin_api",
     "zun-service:disable": "rule:admin_api",
     "zun-service:enable": "rule:admin_api",
diff --git a/zun/common/policies/__init__.py b/zun/common/policies/__init__.py
index 6beda1a5a..009b57d52 100644
--- a/zun/common/policies/__init__.py
+++ b/zun/common/policies/__init__.py
@@ -14,10 +14,12 @@ import itertools
 
 from zun.common.policies import base
 from zun.common.policies import container
+from zun.common.policies import image
 
 
 def list_rules():
     return itertools.chain(
         base.list_rules(),
-        container.list_rules()
+        container.list_rules(),
+        image.list_rules()
     )
diff --git a/zun/common/policies/image.py b/zun/common/policies/image.py
new file mode 100644
index 000000000..0d0656ab0
--- /dev/null
+++ b/zun/common/policies/image.py
@@ -0,0 +1,66 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from zun.common.policies import base
+
+IMAGE = 'image:%s'
+
+rules = [
+    # FIXME(lbragstad): This API call isn't actually listed in zun's API
+    # reference:
+    # https://developer.openstack.org/api-ref/application-container/
+    policy.DocumentedRuleDefault(
+        name=IMAGE % 'pull',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Pull an image.',
+        operations=[
+            {
+                'path': '/v1/images',
+                'method': 'POST'
+            }
+        ]
+    ),
+    # FIXME(lbragstad): This API call isn't actually listed in zun's API
+    # reference:
+    # https://developer.openstack.org/api-ref/application-container/
+    policy.DocumentedRuleDefault(
+        name=IMAGE % 'get_all',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Print a list of available images.',
+        operations=[
+            {
+                'path': '/v1/images',
+                'method': 'GET'
+            }
+        ]
+    ),
+    # FIXME(lbragstad): This API call isn't actually listed in zun's API
+    # reference:
+    # https://developer.openstack.org/api-ref/application-container/
+    policy.DocumentedRuleDefault(
+        name=IMAGE % 'search',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Search an image.',
+        operations=[
+            {
+                'path': '/v1/images/{image_ident}/search',
+                'method': 'GET'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules