2023-05-25 14:18:52 +00:00
|
|
|
apiVersion: templates.gatekeeper.sh/v1
|
|
|
|
|
kind: ConstraintTemplate
|
|
|
|
|
metadata:
|
|
|
|
|
name: k8sblockingresspathtype
|
|
|
|
|
annotations:
|
|
|
|
|
metadata.gatekeeper.sh/title: "Block a pathType usage"
|
|
|
|
|
description: >-
|
|
|
|
|
Users should not be able to use specific pathTypes
|
|
|
|
|
spec:
|
|
|
|
|
crd:
|
|
|
|
|
spec:
|
|
|
|
|
names:
|
|
|
|
|
kind: K8sBlockIngressPathType
|
|
|
|
|
validation:
|
|
|
|
|
openAPIV3Schema:
|
|
|
|
|
type: object
|
|
|
|
|
properties:
|
|
|
|
|
blockedTypes:
|
|
|
|
|
type: array
|
2024-09-06 14:59:43 +00:00
|
|
|
items:
|
|
|
|
|
type: string
|
2023-05-25 14:18:52 +00:00
|
|
|
namespacesExceptions:
|
|
|
|
|
type: array
|
2024-09-06 14:59:43 +00:00
|
|
|
items:
|
2023-05-25 14:18:52 +00:00
|
|
|
type: string
|
|
|
|
|
targets:
|
|
|
|
|
- target: admission.k8s.gatekeeper.sh
|
|
|
|
|
rego: |
|
|
|
|
|
package K8sBlockIngressPathType
|
|
|
|
|
|
|
|
|
|
violation[{"msg": msg}] {
|
|
|
|
|
input.review.kind.kind == "Ingress"
|
|
|
|
|
ns := input.review.object.metadata.namespace
|
2024-09-06 14:59:43 +00:00
|
|
|
exemptNS := [good | exempts = input.parameters.namespacesExceptions[_] ; good = exempts == ns]
|
|
|
|
|
not any(exemptNS)
|
2023-05-25 14:18:52 +00:00
|
|
|
pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "")
|
|
|
|
|
blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType]
|
|
|
|
|
any(blockedPath)
|
|
|
|
|
msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType])
|
|
|
|
|
}
|
