apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
  name: whitelist-registries
spec:
  rules:
  - name: check-whitelist-registries
    message: "Registry is not allowed"
    resource:
      kind: Deployment
    validate:
      pattern:
        template:
          spec:
            containers:              
              - image: "(*:latest)"       # select images which end with :latest            
                imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always"