diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md index ca06f79fcc..2639797c2b 100644 --- a/examples/best_practices/README.md +++ b/examples/best_practices/README.md @@ -9,7 +9,7 @@ | Disallow hostPID and hostIPC | [policy_validate_hostpid_hosipc.yaml](policy_validate_hostpid_hosipc.yaml) | | Require read only root filesystem | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml) | | Disallow node ports | [policy_validate_disallow_node_port.yaml](policy_validate_disallow_node_port.yaml) | -| Allow trusted registries | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml) | +| Allow trusted registries | [policy_validate_whitelist_image_registries.yaml](policy_validate_whitelist_image_registries.yaml) | | Require resource requests and limits | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml) | | Require pod liveness and readiness probes | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml) | | Require an image tag | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml) | diff --git a/examples/best_practices/policy_validate_image_registries.yaml b/examples/best_practices/policy_validate_whitelist_image_registries.yaml similarity index 54% rename from examples/best_practices/policy_validate_image_registries.yaml rename to examples/best_practices/policy_validate_whitelist_image_registries.yaml index b6c037142b..6101104c1a 100644 --- a/examples/best_practices/policy_validate_image_registries.yaml +++ b/examples/best_practices/policy_validate_whitelist_image_registries.yaml @@ -10,10 +10,11 @@ spec: kinds: - Pod validate: - message: "Image registry is not allowed" - pattern: - spec: + message: "White list of image registries" + anyPattern: + - spec: containers: - - name: "*" - # Check allowed registries - image: "*nirmata* | https://private.registry.io/*" + - image: "https://private.registry.io/*" + - spec: + containers: + - image: "*nirmata*" diff --git a/examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml b/examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml new file mode 100644 index 0000000000..7c23f0ef07 --- /dev/null +++ b/examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nirmata-nginx +spec: + containers: + - name: nirmata-nginx + image: nirmata/nginx diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index f4e15af29c..cecf69c88b 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -135,3 +135,7 @@ func Test_validate_disallow_sysctl(t *testing.T) { func Test_validate_volume_whitelist(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml") } + +func Test_validate_whitelist_image_registries(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml") +} diff --git a/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml b/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml new file mode 100644 index 0000000000..cd5363341a --- /dev/null +++ b/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_whitelist_image_registries.yaml + resource: examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml +expected: + validation: + policyresponse: + policy: validate-image-registry + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: nirmata-nginx + rules: + - name: validate-image-registry + type: Validation + message: Validation rule 'validate-image-registry' anyPattern[1] succesfully validated + success: true \ No newline at end of file