unknown registry fires if image is empty

Question

unknown registry fires if image is empty

garethahealy opened this issue 4 years ago · 4 comments

Policy: https://github.com/redhat-cop/rego-policies/tree/master/policy/ocp/bestpractices/container-image-unknownregistries
Example: https://github.com/redhat-cop/helm-charts/blob/master/charts/dev-ex-dashboard/templates/deploymentconfig.yaml#L29

It should ignore/skip over this.

Answer 1 · 2020-08-05T10:57:02.000Z

CC @ckavili

Answer 2 · 2020-08-05T11:05:14.000Z

It also needs to handle images from the local registry, i.e.:

https://github.com/redhat-cop/helm-charts/blob/master/charts/etherpad/templates/deployment.yaml#L32

In this example, it fires:

container 'etherpad' is from (etherpad/etherpad:latest), which is an unknown registry.

Suggest we split on / to check there is a registry specified, if not, skip.

Answer 3 · 2020-08-05T11:10:53.000Z

Also, another reason for checking for /

container 'sonarqube' is from (sonarqube:8.2-community), which is an unknown registry.

Answer 4 · 2020-08-06T11:57:48.000Z

hmm I can check it like here but need to think how to differentiate between something likedocker.io/ngnix:latest and etherpad/etherpad:latest ..and I think etherpad/etherpad:latest or sonarqube:8.2-community points to docker.io anyway 😅