diff --git a/examples/container_deny_added_caps/template.yaml b/examples/container_deny_added_caps/template.yaml index 91fdc1f6..d98b1b4f 100755 --- a/examples/container_deny_added_caps/template.yaml +++ b/examples/container_deny_added_caps/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/container_deny_escalation/template.yaml b/examples/container_deny_escalation/template.yaml index 8b2e9f7b..c0780f39 100755 --- a/examples/container_deny_escalation/template.yaml +++ b/examples/container_deny_escalation/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/container_deny_latest_tag/template.yaml b/examples/container_deny_latest_tag/template.yaml index 80c3c31b..de728ae8 100644 --- a/examples/container_deny_latest_tag/template.yaml +++ b/examples/container_deny_latest_tag/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/container_deny_privileged/template.yaml b/examples/container_deny_privileged/template.yaml index 74cc3cef..eef4b786 100755 --- a/examples/container_deny_privileged/template.yaml +++ b/examples/container_deny_privileged/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/container_deny_privileged_if_tenant/template.yaml b/examples/container_deny_privileged_if_tenant/template.yaml index 3795bc83..cdfe818f 100755 --- a/examples/container_deny_privileged_if_tenant/template.yaml +++ b/examples/container_deny_privileged_if_tenant/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/container_deny_without_resource_constraints/template.yaml b/examples/container_deny_without_resource_constraints/template.yaml index 14fbf2de..2c84e66f 100644 --- a/examples/container_deny_without_resource_constraints/template.yaml +++ b/examples/container_deny_without_resource_constraints/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/lib/core.rego b/examples/lib/core.rego index b61c5cb1..c85d7905 100644 --- a/examples/lib/core.rego +++ b/examples/lib/core.rego @@ -9,11 +9,22 @@ is_gatekeeper if { has_field(input.review, "object") } +is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") +} + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") +} + +else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } -resource := input if { +else := input if { not is_gatekeeper } @@ -34,6 +45,12 @@ labels := resource.metadata.labels annotations := resource.metadata.annotations +operation := input.review.operation if { + is_gatekeeper +} else := input.operation if { + not is_gatekeeper +} + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/lib/core_test.rego b/examples/lib/core_test.rego index 5e49b8ae..b613b6bb 100644 --- a/examples/lib/core_test.rego +++ b/examples/lib/core_test.rego @@ -10,6 +10,10 @@ test_is_gk if { is_gatekeeper with input as {"review": {"object": {"kind": "test"}}} } +test_is_gk_oldobject if { + is_gatekeeper with input as {"review": {"oldObject": {"kind": "test"}}} +} + test_has_field_pos if { has_field({"kind": "test"}, "kind") } diff --git a/examples/namespace_deny_deletion/constraint.yaml b/examples/namespace_deny_deletion/constraint.yaml new file mode 100644 index 00000000..35619c8d --- /dev/null +++ b/examples/namespace_deny_deletion/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: NamespaceDenyDeletion +metadata: + name: namespacedenydeletion +spec: + match: + kinds: + - apiGroups: + - "" + kinds: + - Namespace diff --git a/examples/namespace_deny_deletion/src.rego b/examples/namespace_deny_deletion/src.rego new file mode 100644 index 00000000..be24fe9f --- /dev/null +++ b/examples/namespace_deny_deletion/src.rego @@ -0,0 +1,31 @@ +# METADATA +# title: Namespace deletion must be denied unless explicitly allowed +# description: >- +# Prevent deletion of Kubernetes namespaces to avoid accidental or unauthorized removal of critical workloads. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Namespace +package namespace_deny_delete + +import data.lib.core +import future.keywords.contains +import future.keywords.if +import future.keywords.if + +policyID := "P2007" + +violation contains msg if { + core.kind == "Namespace" + core.operation == "DELETE" + not allow_namespace_deletion + + msg := core.format_with_id(sprintf("%s/%s: Deletion of Namespace is not allowed", [core.kind, core.name]), policyID) +} + +allow_namespace_deletion if { + core.annotations["allow-deletion"] == "true" +} diff --git a/examples/namespace_deny_deletion/src_test.rego b/examples/namespace_deny_deletion/src_test.rego new file mode 100644 index 00000000..98ab0e4f --- /dev/null +++ b/examples/namespace_deny_deletion/src_test.rego @@ -0,0 +1,25 @@ +package namespace_deny_delete + +import future.keywords.if + +test_deny_namespace_delete_without_annotation if { + not allow_namespace_deletion with input as { + "kind": "Namespace", + "metadata": { + "name": "my-ns", + "annotations": {}, + }, + "operation": "DELETE", + } +} + +test_allow_namespace_delete_with_annotation if { + allow_namespace_deletion with input as { + "kind": "Namespace", + "metadata": { + "name": "safe-ns", + "annotations": {"allow-deletion": "true"}, + }, + "operation": "DELETE", + } +} diff --git a/examples/namespace_deny_deletion/template.yaml b/examples/namespace_deny_deletion/template.yaml new file mode 100644 index 00000000..d6c95924 --- /dev/null +++ b/examples/namespace_deny_deletion/template.yaml @@ -0,0 +1,112 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + creationTimestamp: null + name: namespacedenydeletion +spec: + crd: + spec: + names: + kind: NamespaceDenyDeletion + targets: + - libs: + - |- + package lib.core + + import future.keywords.if + + default is_gatekeeper := false + + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "object") + } + + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + + resource := input.review.object if { + is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") + } + + else := input if { + not is_gatekeeper + } + + format(msg) := {"msg": msg} + + format_with_id(msg, id) := { + "msg": sprintf("%s: %s", [id, msg]), + "details": {"policyID": id}, + } + + apiVersion := resource.apiVersion + + name := resource.metadata.name + + kind := resource.kind + + labels := resource.metadata.labels + + annotations := resource.metadata.annotations + + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + + gv := split(apiVersion, "/") + + group := gv[0] if { + contains(apiVersion, "/") + } + + group := "core" if { + not contains(apiVersion, "/") + } + + version := gv[count(gv) - 1] + + has_field(obj, field) if { + not object.get(obj, field, "N_DEFINED") == "N_DEFINED" + } + + missing_field(obj, field) if { + obj[field] == "" + } + + missing_field(obj, field) if { + not has_field(obj, field) + } + rego: |- + package namespace_deny_delete + + import data.lib.core + import future.keywords.contains + import future.keywords.if + import future.keywords.if + + policyID := "P2007" + + violation contains msg if { + core.kind == "Namespace" + core.operation == "DELETE" + not allow_namespace_deletion + + msg := core.format_with_id(sprintf("%s/%s: Deletion of Namespace is not allowed", [core.kind, core.name]), policyID) + } + + allow_namespace_deletion if { + core.annotations["allow-deletion"] == "true" + } + target: admission.k8s.gatekeeper.sh +status: {} diff --git a/examples/pod_deny_host_alias/template.yaml b/examples/pod_deny_host_alias/template.yaml index 9d1d64b7..4ad7d942 100755 --- a/examples/pod_deny_host_alias/template.yaml +++ b/examples/pod_deny_host_alias/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/pod_deny_host_ipc/template.yaml b/examples/pod_deny_host_ipc/template.yaml index 9bcbaa40..72e6a93c 100755 --- a/examples/pod_deny_host_ipc/template.yaml +++ b/examples/pod_deny_host_ipc/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/pod_deny_host_network/template.yaml b/examples/pod_deny_host_network/template.yaml index ded23000..f9844bc1 100755 --- a/examples/pod_deny_host_network/template.yaml +++ b/examples/pod_deny_host_network/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/pod_deny_host_pid/template.yaml b/examples/pod_deny_host_pid/template.yaml index 6ad8609d..c8a59338 100755 --- a/examples/pod_deny_host_pid/template.yaml +++ b/examples/pod_deny_host_pid/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/pod_deny_without_runasnonroot/template.yaml b/examples/pod_deny_without_runasnonroot/template.yaml index 1ceae544..397fd2a1 100755 --- a/examples/pod_deny_without_runasnonroot/template.yaml +++ b/examples/pod_deny_without_runasnonroot/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/policies-no-rego.md b/examples/policies-no-rego.md index ef2c6fe8..9f377d56 100644 --- a/examples/policies-no-rego.md +++ b/examples/policies-no-rego.md @@ -22,6 +22,7 @@ * [P2002: Containers must define resource constraints](#p2002-containers-must-define-resource-constraints) * [P2005: Roles must not allow use of privileged PodSecurityPolicies](#p2005-roles-must-not-allow-use-of-privileged-podsecuritypolicies) * [P2006: Tenants' containers must not run as privileged](#p2006-tenants-containers-must-not-run-as-privileged) +* [P2007: Namespace deletion must be denied unless explicitly allowed](#p2007-namespace-deletion-must-be-denied-unless-explicitly-allowed) ## Warnings @@ -351,6 +352,18 @@ that enforces the 'is-tenant' label. _source: [container_deny_privileged_if_tenant](container_deny_privileged_if_tenant)_ +## P2007: Namespace deletion must be denied unless explicitly allowed + +**Severity:** Violation + +**Resources:** + +* core/Namespace + +Prevent deletion of Kubernetes namespaces to avoid accidental or unauthorized removal of critical workloads. + +_source: [namespace_deny_deletion](namespace_deny_deletion)_ + ## P0001: Deprecated Deployment and DaemonSet API **Severity:** Warning diff --git a/examples/policies.md b/examples/policies.md index 93ad1aa6..a84878ae 100755 --- a/examples/policies.md +++ b/examples/policies.md @@ -22,6 +22,7 @@ * [P2002: Containers must define resource constraints](#p2002-containers-must-define-resource-constraints) * [P2005: Roles must not allow use of privileged PodSecurityPolicies](#p2005-roles-must-not-allow-use-of-privileged-podsecuritypolicies) * [P2006: Tenants' containers must not run as privileged](#p2006-tenants-containers-must-not-run-as-privileged) +* [P2007: Namespace deletion must be denied unless explicitly allowed](#p2007-namespace-deletion-must-be-denied-unless-explicitly-allowed) ## Warnings @@ -916,6 +917,43 @@ container_is_privileged(container) if { _source: [container_deny_privileged_if_tenant](container_deny_privileged_if_tenant)_ +## P2007: Namespace deletion must be denied unless explicitly allowed + +**Severity:** Violation + +**Resources:** + +* core/Namespace + +Prevent deletion of Kubernetes namespaces to avoid accidental or unauthorized removal of critical workloads. + +### Rego + +```rego +package namespace_deny_delete + +import data.lib.core +import future.keywords.contains +import future.keywords.if +import future.keywords.if + +policyID := "P2007" + +violation contains msg if { + core.kind == "Namespace" + core.operation == "DELETE" + not allow_namespace_deletion + + msg := core.format_with_id(sprintf("%s/%s: Deletion of Namespace is not allowed", [core.kind, core.name]), policyID) +} + +allow_namespace_deletion if { + core.annotations["allow-deletion"] == "true" +} +``` + +_source: [namespace_deny_deletion](namespace_deny_deletion)_ + ## P0001: Deprecated Deployment and DaemonSet API **Severity:** Warning diff --git a/examples/psp_deny_added_caps/template.yaml b/examples/psp_deny_added_caps/template.yaml index 5cafeac9..664c59ae 100755 --- a/examples/psp_deny_added_caps/template.yaml +++ b/examples/psp_deny_added_caps/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/psp_deny_escalation/template.yaml b/examples/psp_deny_escalation/template.yaml index 2513ce31..e710e21f 100755 --- a/examples/psp_deny_escalation/template.yaml +++ b/examples/psp_deny_escalation/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/psp_deny_host_alias/template.yaml b/examples/psp_deny_host_alias/template.yaml index aa109d85..5e94d840 100755 --- a/examples/psp_deny_host_alias/template.yaml +++ b/examples/psp_deny_host_alias/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/psp_deny_host_ipc/template.yaml b/examples/psp_deny_host_ipc/template.yaml index 54481197..a9e2c3f9 100755 --- a/examples/psp_deny_host_ipc/template.yaml +++ b/examples/psp_deny_host_ipc/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/psp_deny_host_network/template.yaml b/examples/psp_deny_host_network/template.yaml index ad26d68b..e01a4296 100755 --- a/examples/psp_deny_host_network/template.yaml +++ b/examples/psp_deny_host_network/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/psp_deny_host_pid/template.yaml b/examples/psp_deny_host_pid/template.yaml index 090a76b6..9f6a7329 100755 --- a/examples/psp_deny_host_pid/template.yaml +++ b/examples/psp_deny_host_pid/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/psp_deny_privileged/template.yaml b/examples/psp_deny_privileged/template.yaml index decb6658..34482bd2 100755 --- a/examples/psp_deny_privileged/template.yaml +++ b/examples/psp_deny_privileged/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/required_labels/template.yaml b/examples/required_labels/template.yaml index 6c3ee616..ad7c52d3 100755 --- a/examples/required_labels/template.yaml +++ b/examples/required_labels/template.yaml @@ -31,11 +31,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -56,6 +67,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if { diff --git a/examples/role_deny_use_privileged_psps/template.yaml b/examples/role_deny_use_privileged_psps/template.yaml index a602a1c2..40e449d6 100755 --- a/examples/role_deny_use_privileged_psps/template.yaml +++ b/examples/role_deny_use_privileged_psps/template.yaml @@ -22,11 +22,22 @@ spec: has_field(input.review, "object") } + is_gatekeeper if { + has_field(input, "review") + has_field(input.review, "oldObject") + } + resource := input.review.object if { is_gatekeeper + has_field(input.review, "object") + } + + else := input.review.oldObject if { + is_gatekeeper + has_field(input.review, "oldObject") } - resource := input if { + else := input if { not is_gatekeeper } @@ -47,6 +58,12 @@ spec: annotations := resource.metadata.annotations + operation := input.review.operation if { + is_gatekeeper + } else := input.operation if { + not is_gatekeeper + } + gv := split(apiVersion, "/") group := gv[0] if {