From cac41d9fda1dba95a72b86498cc0c75cfb91852b Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 7 Oct 2019 14:34:32 -0700
Subject: [PATCH] using anyPattern for allowed image registries

---
 examples/best_practices/README.md              |  2 +-
 ...y_validate_whitelist_image_registries.yaml} | 13 +++++++------
 ...ce_validate_whitelist_image_registries.yaml |  8 ++++++++
 pkg/testrunner/testrunner_test.go              |  4 ++++
 ...io_validate_whitelist_image_registries.yaml | 18 ++++++++++++++++++
 5 files changed, 38 insertions(+), 7 deletions(-)
 rename examples/best_practices/{policy_validate_image_registries.yaml => policy_validate_whitelist_image_registries.yaml} (54%)
 create mode 100644 examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml
 create mode 100644 test/scenarios/test/scenario_validate_whitelist_image_registries.yaml

diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index ca06f79fcc..2639797c2b 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -9,7 +9,7 @@
 | Disallow hostPID and hostIPC                   |  [policy_validate_hostpid_hosipc.yaml](policy_validate_hostpid_hosipc.yaml)                                                                     |
 | Require read only root filesystem              | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml)                                                                      |
 | Disallow node ports                            | [policy_validate_disallow_node_port.yaml](policy_validate_disallow_node_port.yaml)                                                                                                                 |
-| Allow trusted registries                       | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml)                                                                               |
+| Allow trusted registries                       | [policy_validate_whitelist_image_registries.yaml](policy_validate_whitelist_image_registries.yaml)                                                                               |
 | Require resource requests and limits           | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml)                                                                                     |
 | Require pod liveness and readiness probes      | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml)                                                                                           |
 | Require an image tag                           | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml)                                                         |
diff --git a/examples/best_practices/policy_validate_image_registries.yaml b/examples/best_practices/policy_validate_whitelist_image_registries.yaml
similarity index 54%
rename from examples/best_practices/policy_validate_image_registries.yaml
rename to examples/best_practices/policy_validate_whitelist_image_registries.yaml
index b6c037142b..6101104c1a 100644
--- a/examples/best_practices/policy_validate_image_registries.yaml
+++ b/examples/best_practices/policy_validate_whitelist_image_registries.yaml
@@ -10,10 +10,11 @@ spec:
         kinds:
         - Pod
     validate:
-      message: "Image registry is not allowed"
-      pattern:
-        spec:
+      message: "White list of image registries"
+      anyPattern:
+      - spec:
           containers:
-          - name: "*"
-            # Check allowed registries
-            image: "*nirmata* | https://private.registry.io/*"
+          - image: "https://private.registry.io/*"
+      - spec:
+          containers:
+          - image: "*nirmata*"
diff --git a/examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml b/examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml
new file mode 100644
index 0000000000..7c23f0ef07
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nirmata-nginx
+spec:
+  containers:
+  - name: nirmata-nginx
+    image: nirmata/nginx
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index f4e15af29c..cecf69c88b 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -135,3 +135,7 @@ func Test_validate_disallow_sysctl(t *testing.T) {
 func Test_validate_volume_whitelist(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml")
 }
+
+func Test_validate_whitelist_image_registries(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml b/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml
new file mode 100644
index 0000000000..cd5363341a
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_whitelist_image_registries.yaml
@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_whitelist_image_registries.yaml
+  resource: examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-image-registry
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: nirmata-nginx
+      rules:
+        - name: validate-image-registry
+          type: Validation
+          message: Validation rule 'validate-image-registry' anyPattern[1] succesfully validated
+          success: true
\ No newline at end of file