kubelatte-ce

1
spec:
2
  type: rego
3
  data: |-
4
    import future.keywords.contains
5
    import future.keywords.if
6
    
7
    violation contains {"msg": msg} if {
8
      params := object.get(input, "parameters", {})
9
      objName := input.review.name
10
    
11
      affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
12
      affected(input.review.userInfo.username, affectedServiceAccounts)
13
    
14
      allowSA := object.get(params, "serviceAccounts", [])
15
      checkAllSARoles(input.review.object.subjects, allowSA, input.review.object.roleRef)
16
      msg := sprintf("Create binding '%v' denied. Role disallowed.", [objName])
17
    }
18
    
19
    violation contains {"msg": msg} if {
20
      params := object.get(input, "parameters", {})
21
      objName := input.review.name
22
    
23
      affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
24
      affected(input.review.userInfo.username, affectedServiceAccounts)
25
    
26
      allowSA := object.get(params, "serviceAccounts", [])
27
      checkAllSA(input.review.object.subjects, allowSA)
28
      msg := sprintf("Create binding '%v' denied. SA disallowed.", [objName])
29
    }
30
    
31
    violation contains {"msg": msg} if {
32
      input.review.kind.kind = "ClusterRoleBinding"
33
      params := object.get(input, "parameters", {})
34
      objName := input.review.name
35
    
36
      affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
37
      affected(input.review.userInfo.username, affectedServiceAccounts)
38
    
39
      allowNamespaces := object.get(params, "allowedNamespaces", [])
40
      checkAllNamespaces(input.review.object.subjects, allowNamespaces)
41
    
42
      msg := sprintf("Create binding '%v' denied. Namespace disallowed.", [objName])
43
    }
44
    
45
    violation contains {"msg": msg} if {
46
      input.review.kind.kind = "RoleBinding"
47
      params := object.get(input, "parameters", {})
48
      objName := input.review.name
49
    
50
      affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])
51
      affected(input.review.userInfo.username, affectedServiceAccounts)
52
    
53
      allowNamespaces := object.get(params, "allowedNamespaces", [])
54
      not checkSimpleMatchAny(input.review.object.metadata.namespace, allowNamespaces)
55
    
56
      msg := sprintf("Create binding '%v' denied. Namespace disallowed.", [objName])
57
    }
58
    
59
    checkAllNamespaces(subjects, namespaces) if {
60
      subject := subjects[_]
61
        not checkSimpleMatchAny(subject.namespace, namespaces)
62
    }
63
    
64
    checkMatchAny(objName, roles) if {
65
      role := roles[_]
66
      roleName := object.get(role, "pattern", "")
67
      regex.match(roleName, objName)
68
    }
69
    
70
    checkSimpleMatchAny(objName, roles) if {
71
      role := roles[_]
72
      regex.match(role, objName)
73
    }
74
    
75
    checkAllSARoles(subjects, allowed, roleref) if {
76
      sa := subjects[_]
77
      not checkSAMatchRole(sa.name, allowed, roleref)
78
    }
79
    
80
    checkSAMatchRole(saName, allowed, roleref) if {
81
      sa := allowed[_]
82
      saNamePattern := object.get(sa, "name", "")
83
      regex.match(saNamePattern, saName)
84
      saAllowedRoles := object.get(sa, "roles", "")
85
      checkSimpleMatchAny(roleref.name, saAllowedRoles)
86
    }
87
    
88
    checkAllSA(subjects, allowed) if {
89
      sa := subjects[_]
90
      not checkSAMatchAny(sa.name, allowed)
91
    }
92
    
93
    checkSAMatchAny(saName, allowed) if {
94
      sa := allowed[_]
95
      saNamePattern := object.get(sa, "name", "")
96
      regex.match(saNamePattern, saName)
97
    }
98
    
99
    affected(userInfo, affectedServiceAccounts) if {
100
      username := affectedServiceAccounts[_]
101
      regex.match(username, userInfo)
102
    }