From 012360ae3a11078b06c353ea0b2ab8d3d3f8d477 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 10 Oct 2019 10:29:10 -0700 Subject: [PATCH] allow trusted registries --- pkg/testrunner/testrunner_test.go | 4 ++-- .../trusted_image_registries.yaml | 17 +++++++++++++++++ test/manifest/trusted_image_registries.yaml | 8 ++++++++ ...ario_validate_trusted_image_registries.yaml | 18 ++++++++++++++++++ ...io_validate_whitelist_image_registries.yaml | 18 ------------------ 5 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 samples/best_practices/trusted_image_registries.yaml create mode 100644 test/manifest/trusted_image_registries.yaml create mode 100644 test/scenarios/test/scenario_validate_trusted_image_registries.yaml delete mode 100644 test/scenarios/test/scenario_validate_whitelist_image_registries.yaml diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 40cf40347d..044ce35675 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -136,8 +136,8 @@ func Test_validate_volume_whitelist(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml") } -func Test_validate_whitelist_image_registries(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml") +func Test_validate_trusted_image_registries(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_trusted_image_registries.yaml") } func Test_require_pod_requests_limits(t *testing.T) { diff --git a/samples/best_practices/trusted_image_registries.yaml b/samples/best_practices/trusted_image_registries.yaml new file mode 100644 index 0000000000..0f2921d949 --- /dev/null +++ b/samples/best_practices/trusted_image_registries.yaml @@ -0,0 +1,17 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: trusted-registries +spec: + rules: + - name: trusted-registries + match: + resources: + kinds: + - Pod + validate: + message: "Deny untrusted registries" + pattern: + spec: + containers: + - image: "k8s.gcr.io/* | gcr.io/*" diff --git a/test/manifest/trusted_image_registries.yaml b/test/manifest/trusted_image_registries.yaml new file mode 100644 index 0000000000..b6945fa348 --- /dev/null +++ b/test/manifest/trusted_image_registries.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: k8s-nginx +spec: + containers: + - name: k8s-nginx + image: k8s.gcr.io/nginx:1.7.9 diff --git a/test/scenarios/test/scenario_validate_trusted_image_registries.yaml b/test/scenarios/test/scenario_validate_trusted_image_registries.yaml new file mode 100644 index 0000000000..d7881251d6 --- /dev/null +++ b/test/scenarios/test/scenario_validate_trusted_image_registries.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/trusted_image_registries.yaml + resource: test/manifest/trusted_image_registries.yaml +expected: + validation: + policyresponse: + policy: trusted-registries + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: k8s-nginx + rules: + - name: trusted-registries + type: Validation + message: Validation rule 'trusted-registries' succesfully validated + success: true \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml b/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml deleted file mode 100644 index cd5363341a..0000000000 --- a/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# file path relative to project root -input: - policy: examples/best_practices/policy_validate_whitelist_image_registries.yaml - resource: examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml -expected: - validation: - policyresponse: - policy: validate-image-registry - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: nirmata-nginx - rules: - - name: validate-image-registry - type: Validation - message: Validation rule 'validate-image-registry' anyPattern[1] succesfully validated - success: true \ No newline at end of file