Skip to content
This repository was archived by the owner on Dec 7, 2025. It is now read-only.

Commit b710bb6

Browse files
justgithubaccountjustgithubaccount
committed
tst(ci): change opa policies settings
1 parent 837ae65 commit b710bb6

File tree

1 file changed

+16
-8
lines changed

1 file changed

+16
-8
lines changed

policies/kubernetes.rego

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,61 +3,69 @@ package kubernetes
33
default deny = []
44

55
# 🛡️ 1. Контейнеры должны иметь ресурсы
6-
deny[msg] {
6+
deny[msg] if {
77
input.kind == "Deployment"
88
container := input.spec.template.spec.containers[_]
99
not container.resources.limits.memory
10+
} then {
1011
msg := sprintf("Container %s missing memory limit", [container.name])
1112
}
1213

13-
deny[msg] {
14+
deny[msg] if {
1415
input.kind == "Deployment"
1516
container := input.spec.template.spec.containers[_]
1617
not container.resources.limits.cpu
18+
} then {
1719
msg := sprintf("Container %s missing CPU limit", [container.name])
1820
}
1921

2022
# 🔬 2. Должны быть probes
21-
deny[msg] {
23+
deny[msg] if {
2224
input.kind == "Deployment"
2325
container := input.spec.template.spec.containers[_]
2426
not container.livenessProbe
27+
} then {
2528
msg := sprintf("Container %s missing livenessProbe", [container.name])
2629
}
2730

28-
deny[msg] {
31+
deny[msg] if {
2932
input.kind == "Deployment"
3033
container := input.spec.template.spec.containers[_]
3134
not container.readinessProbe
35+
} then {
3236
msg := sprintf("Container %s missing readinessProbe", [container.name])
3337
}
3438

3539
# 📛 3. Namespace должен быть указан
36-
deny[msg] {
40+
deny[msg] if {
3741
not input.metadata.namespace
42+
} then {
3843
msg := "Resource is missing namespace"
3944
}
4045

4146
# 🔐 4. Контейнеры должны запускаться не от root
42-
deny[msg] {
47+
deny[msg] if {
4348
input.kind == "Deployment"
4449
not input.spec.template.spec.securityContext.runAsNonRoot
50+
} then {
4551
msg := "Deployment must set runAsNonRoot: true"
4652
}
4753

4854
# 📦 5. Если используется LLM — должна быть задана модель
49-
deny[msg] {
55+
deny[msg] if {
5056
input.kind == "Deployment"
5157
container := input.spec.template.spec.containers[_]
5258
input.metadata.labels["app.kubernetes.io/name"] == "chat-api"
5359
not input.spec.template.metadata.annotations["openrouter.model"]
60+
} then {
5461
msg := "chat-api is missing openrouter.model annotation"
5562
}
5663

5764
# 🔭 6. OTEL переменные должны быть заданы
58-
deny[msg] {
65+
deny[msg] if {
5966
input.kind == "Deployment"
6067
container := input.spec.template.spec.containers[_]
6168
not container.env[_].name == "OTEL_EXPORTER_OTLP_ENDPOINT"
69+
} then {
6270
msg := "OpenTelemetry OTLP endpoint is missing"
6371
}

0 commit comments

Comments
 (0)