kubelatte-ce
Форк от sbertech/kubelatte-ce
102 строки · 3.5 Кб
1spec:2type: rego3data: |-4import future.keywords.contains
5import future.keywords.if
6
7violation contains {"msg": msg} if {8params := object.get(input, "parameters", {})9objName := input.review.name10
11affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])12affected(input.review.userInfo.username, affectedServiceAccounts)13
14allowSA := object.get(params, "serviceAccounts", [])15checkAllSARoles(input.review.object.subjects, allowSA, input.review.object.roleRef)16msg := sprintf("Create binding '%v' denied. Role disallowed.", [objName])17}18
19violation contains {"msg": msg} if {20params := object.get(input, "parameters", {})21objName := input.review.name22
23affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])24affected(input.review.userInfo.username, affectedServiceAccounts)25
26allowSA := object.get(params, "serviceAccounts", [])27checkAllSA(input.review.object.subjects, allowSA)28msg := sprintf("Create binding '%v' denied. SA disallowed.", [objName])29}30
31violation contains {"msg": msg} if {32input.review.kind.kind = "ClusterRoleBinding"
33params := object.get(input, "parameters", {})34objName := input.review.name35
36affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])37affected(input.review.userInfo.username, affectedServiceAccounts)38
39allowNamespaces := object.get(params, "allowedNamespaces", [])40checkAllNamespaces(input.review.object.subjects, allowNamespaces)41
42msg := sprintf("Create binding '%v' denied. Namespace disallowed.", [objName])43}44
45violation contains {"msg": msg} if {46input.review.kind.kind = "RoleBinding"
47params := object.get(input, "parameters", {})48objName := input.review.name49
50affectedServiceAccounts := object.get(params, "affectedServiceAccounts", [])51affected(input.review.userInfo.username, affectedServiceAccounts)52
53allowNamespaces := object.get(params, "allowedNamespaces", [])54not checkSimpleMatchAny(input.review.object.metadata.namespace, allowNamespaces)55
56msg := sprintf("Create binding '%v' denied. Namespace disallowed.", [objName])57}58
59checkAllNamespaces(subjects, namespaces) if {60subject := subjects[_]61not checkSimpleMatchAny(subject.namespace, namespaces)62}63
64checkMatchAny(objName, roles) if {65role := roles[_]66roleName := object.get(role, "pattern", "")67regex.match(roleName, objName)68}69
70checkSimpleMatchAny(objName, roles) if {71role := roles[_]72regex.match(role, objName)73}74
75checkAllSARoles(subjects, allowed, roleref) if {76sa := subjects[_]77not checkSAMatchRole(sa.name, allowed, roleref)78}79
80checkSAMatchRole(saName, allowed, roleref) if {81sa := allowed[_]82saNamePattern := object.get(sa, "name", "")83regex.match(saNamePattern, saName)84saAllowedRoles := object.get(sa, "roles", "")85checkSimpleMatchAny(roleref.name, saAllowedRoles)86}87
88checkAllSA(subjects, allowed) if {89sa := subjects[_]90not checkSAMatchAny(sa.name, allowed)91}92
93checkSAMatchAny(saName, allowed) if {94sa := allowed[_]95saNamePattern := object.get(sa, "name", "")96regex.match(saNamePattern, saName)97}98
99affected(userInfo, affectedServiceAccounts) if {100username := affectedServiceAccounts[_]101regex.match(username, userInfo)102}