kyverno/test/conformance/kuttl/validate/e2e/trusted-images/policy.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-trustable-images
spec:
  validationFailureAction: Enforce
  rules:
  - name: only-allow-trusted-images
    match:
      any:
      - resources:
          kinds:
          - Pod
    preconditions:
      - key: "{{request.operation}}"
        operator: NotEquals
        value: DELETE
    validate:
      message: "images with root user are not allowed"
      foreach:
      - list: "request.object.spec.containers"
        context:
        - name: imageData
          imageRegistry:
            reference: "{{ element.image }}"
            jmesPath: "{user: configData.config.User || '', registry: registry}"
        deny:
          conditions:
            all:
              - key: "{{ imageData.user }}"
                operator: Equals
                value: ""
              - key: "{{ imageData.registry }}"
                operator: NotEquals
                value: "ghcr.io"
Migrate validate e2e tests to kuttl tests (#5483) * add global-anchor test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add trusted-images test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add yaml-signing test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add x509-decode test Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> 2022-11-28 09:04:21 -05:00			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: check-trustable-images`
			`spec:`
chore: use Enforce instead of enforce in kuttl tests (#6763) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-04-03 15:36:30 +02:00			`validationFailureAction: Enforce`
Migrate validate e2e tests to kuttl tests (#5483) * add global-anchor test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add trusted-images test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add yaml-signing test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add x509-decode test Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> 2022-11-28 09:04:21 -05:00			`rules:`
			`- name: only-allow-trusted-images`
			`match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Pod`
			`preconditions:`
			`- key: "{{request.operation}}"`
			`operator: NotEquals`
			`value: DELETE`
			`validate:`
			`message: "images with root user are not allowed"`
			`foreach:`
			`- list: "request.object.spec.containers"`
			`context:`
			`- name: imageData`
			`imageRegistry:`
			`reference: "{{ element.image }}"`
			`jmesPath: "{user: configData.config.User \|\| '', registry: registry}"`
			`deny:`
			`conditions:`
			`all:`
			`- key: "{{ imageData.user }}"`
			`operator: Equals`
			`value: ""`
			`- key: "{{ imageData.registry }}"`
			`operator: NotEquals`
			`value: "ghcr.io"`