kubelatte-ce
Форк от sbertech/kubelatte-ce
102 строки · 3.5 Кб
1spec:
2type: rego
3data: |-
4import future.keywords.contains
5import future.keywords.if
6
7violation contains {"msg": msg} if {
8params := object.get(input, "parameters", {})
9objName := input.review.name
10
11affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
12affected(input.review.userInfo.username, affectedServiceAccounts)
13
14allowSA := object.get(params, "serviceAccounts", [])
15checkAllSARoles(input.review.object.subjects, allowSA, input.review.object.roleRef)
16msg := sprintf("Create binding '%v' denied. Role disallowed.", [objName])
17}
18
19violation contains {"msg": msg} if {
20params := object.get(input, "parameters", {})
21objName := input.review.name
22
23affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
24affected(input.review.userInfo.username, affectedServiceAccounts)
25
26allowSA := object.get(params, "serviceAccounts", [])
27checkAllSA(input.review.object.subjects, allowSA)
28msg := sprintf("Create binding '%v' denied. SA disallowed.", [objName])
29}
30
31violation contains {"msg": msg} if {
32input.review.kind.kind = "ClusterRoleBinding"
33params := object.get(input, "parameters", {})
34objName := input.review.name
35
36affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
37affected(input.review.userInfo.username, affectedServiceAccounts)
38
39allowNamespaces := object.get(params, "allowedNamespaces", [])
40checkAllNamespaces(input.review.object.subjects, allowNamespaces)
41
42msg := sprintf("Create binding '%v' denied. Namespace disallowed.", [objName])
43}
44
45violation contains {"msg": msg} if {
46input.review.kind.kind = "RoleBinding"
47params := object.get(input, "parameters", {})
48objName := input.review.name
49
50affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
51affected(input.review.userInfo.username, affectedServiceAccounts)
52
53allowNamespaces := object.get(params, "allowedNamespaces", [])
54not checkSimpleMatchAny(input.review.object.metadata.namespace, allowNamespaces)
55
56msg := sprintf("Create binding '%v' denied. Namespace disallowed.", [objName])
57}
58
59checkAllNamespaces(subjects, namespaces) if {
60subject := subjects[_]
61not checkSimpleMatchAny(subject.namespace, namespaces)
62}
63
64checkMatchAny(objName, roles) if {
65role := roles[_]
66roleName := object.get(role, "pattern", "")
67regex.match(roleName, objName)
68}
69
70checkSimpleMatchAny(objName, roles) if {
71role := roles[_]
72regex.match(role, objName)
73}
74
75checkAllSARoles(subjects, allowed, roleref) if {
76sa := subjects[_]
77not checkSAMatchRole(sa.name, allowed, roleref)
78}
79
80checkSAMatchRole(saName, allowed, roleref) if {
81sa := allowed[_]
82saNamePattern := object.get(sa, "name", "")
83regex.match(saNamePattern, saName)
84saAllowedRoles := object.get(sa, "roles", "")
85checkSimpleMatchAny(roleref.name, saAllowedRoles)
86}
87
88checkAllSA(subjects, allowed) if {
89sa := subjects[_]
90not checkSAMatchAny(sa.name, allowed)
91}
92
93checkSAMatchAny(saName, allowed) if {
94sa := allowed[_]
95saNamePattern := object.get(sa, "name", "")
96regex.match(saNamePattern, saName)
97}
98
99affected(userInfo, affectedServiceAccounts) if {
100username := affectedServiceAccounts[_]
101regex.match(username, userInfo)
102}