allow trusted registries

pkg/testrunner/testrunner_test.go

@@ -136,8 +136,8 @@ func Test_validate_volume_whitelist(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml")
 }
 
-func Test_validate_whitelist_image_registries(t *testing.T) {
+func Test_validate_trusted_image_registries(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml")
+	testScenario(t, "test/scenarios/test/scenario_validate_trusted_image_registries.yaml")
 }
 
 func Test_require_pod_requests_limits(t *testing.T) {

samples/best_practices/trusted_image_registries.yaml

@@ -0,0 +1,17 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: trusted-registries
+spec:
+  rules:
+  - name: trusted-registries
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Deny untrusted registries"
+      pattern:
+        spec:
+          containers:
+          - image: "k8s.gcr.io/* | gcr.io/*"

test/manifest/trusted_image_registries.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: k8s-nginx
+spec:
+  containers:
+  - name: k8s-nginx
+    image: k8s.gcr.io/nginx:1.7.9

test/scenarios/test/scenario_validate_trusted_image_registries.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/trusted_image_registries.yaml
+  resource: test/manifest/trusted_image_registries.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: trusted-registries
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: k8s-nginx
+      rules:
+        - name: trusted-registries
+          type: Validation
+          message: Validation rule 'trusted-registries' succesfully validated
+          success: true

test/scenarios/test/scenario_validate_whitelist_image_registries.yaml

@@ -1,18 +0,0 @@
-# file path relative to project root
-input:
-  policy: examples/best_practices/policy_validate_whitelist_image_registries.yaml
-  resource: examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-image-registry
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: nirmata-nginx
-      rules:
-        - name: validate-image-registry
-          type: Validation
-          message: Validation rule 'validate-image-registry' anyPattern[1] succesfully validated
-          success: true