using anyPattern for allowed image registries

examples/best_practices/README.md

@@ -9,7 +9,7 @@
 | Disallow hostPID and hostIPC                   |  [policy_validate_hostpid_hosipc.yaml](policy_validate_hostpid_hosipc.yaml)                                                                     |
 | Require read only root filesystem              | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml)                                                                      |
 | Disallow node ports                            | [policy_validate_disallow_node_port.yaml](policy_validate_disallow_node_port.yaml)                                                                                                                 |
-| Allow trusted registries                       | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml)                                                                               |
+| Allow trusted registries                       | [policy_validate_whitelist_image_registries.yaml](policy_validate_whitelist_image_registries.yaml)                                                                               |
 | Require resource requests and limits           | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml)                                                                                     |
 | Require pod liveness and readiness probes      | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml)                                                                                           |
 | Require an image tag                           | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml)                                                         |

examples/best_practices/policy_validate_whitelist_image_registries.yaml

@@ -10,10 +10,11 @@ spec:
         kinds:
         - Pod
     validate:
-      message: "Image registry is not allowed"
-      pattern:
-        spec:
+      message: "White list of image registries"
+      anyPattern:
+      - spec:
           containers:
-          - name: "*"
-            # Check allowed registries
-            image: "*nirmata* | https://private.registry.io/*"
+          - image: "https://private.registry.io/*"
+      - spec:
+          containers:
+          - image: "*nirmata*"

examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nirmata-nginx
+spec:
+  containers:
+  - name: nirmata-nginx
+    image: nirmata/nginx

pkg/testrunner/testrunner_test.go

@@ -135,3 +135,7 @@ func Test_validate_disallow_sysctl(t *testing.T) {
 func Test_validate_volume_whitelist(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml")
 }
+
+func Test_validate_whitelist_image_registries(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml")
+}

test/scenarios/test/scenario_validate_whitelist_image_registries.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_whitelist_image_registries.yaml
+  resource: examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-image-registry
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: nirmata-nginx
+      rules:
+        - name: validate-image-registry
+          type: Validation
+          message: Validation rule 'validate-image-registry' anyPattern[1] succesfully validated
+          success: true