Define a Rego package with two rule sets: one using deny or violation rules that fail when required label keys are absent from input.review.object.metadata.labels, and one that fails when any container image prefix is not in an allowed registries list.
Parameterize the allowed registries and required labels as constants or input data so the policy can be reused across environments without editing Rego source.
Write a _test.rego file in the same package using test_ prefixed rules; provide mock input objects that cover compliant and non-compliant cases for both rule sets.
Run opa test ./policies/ to execute unit tests; add --coverage to measure which rules are exercised.
Integrate opa test in CI so failures block the pipeline before the policy is published to a bundle or Gatekeeper.
Known gotchas
Rego's startswith and indexing on image strings differs from glob matching; validate your registry prefix logic against images with port numbers and digests.
The test file must be in the same package or import the package under test; mismatched package declarations cause tests to silently not run.
Avoid hardcoding registry lists in Rego source; load them from external data so policy updates don't require recompiling the bundle.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp