added basic policy

sionsmith · sionsmith · commit 66a166ef6fb9 · 2021-10-26T12:53:48.000+01:00
diff --git a/examples/multi-tenacy/open-policy-agent/policies/ingress-whitelist.rego b/examples/multi-tenacy/open-policy-agent/policies/ingress-whitelist.rego
@@ -0,0 +1,37 @@
+package kubernetes.admission
+import data.kubernetes.namespaces
+
+operations = {"CREATE", "UPDATE"}
+
+deny[msg] {
+  input.request.kind.kind == "Ingress"
+  operations[input.request.operation]
+  host := input.request.object.spec.rules[_].host
+  not fqdn_matches_any(host, valid_ingress_hosts)
+  msg := sprintf("invalid ingress host %q", [host])
+}
+
+valid_ingress_hosts = {host |
+  whitelist := namespaces[input.request.namespace].metadata.annotations["ingress-whitelist"]
+  hosts := split(whitelist, ",")
+  host := hosts[_]
+}
+
+fqdn_matches_any(str, patterns) {
+  fqdn_matches(str, patterns[_])
+}
+
+fqdn_matches(str, pattern) {
+  pattern_parts := split(pattern, ".")
+  pattern_parts[0] == "*"
+  str_parts := split(str, ".")
+  n_pattern_parts := count(pattern_parts)
+  n_str_parts := count(str_parts)
+  suffix := trim(pattern, "*.")
+  endswith(str, suffix)
+}
+
+fqdn_matches(str, pattern) {
+    not contains(pattern, "*")
+    str == pattern
+}
diff --git a/examples/multi-tenacy/open-policy-agent/policies/no_deploy_in_defauly.rego b/examples/multi-tenacy/open-policy-agent/policies/no_deploy_in_defauly.rego
@@ -0,0 +1,8 @@
+package kubernetes.admission
+
+deny[msg] {
+    input.request.kind.kind == "Deployment"
+    input.request.namespace == "default"
+
+    msg := "Not allowed to create deployments in default namespace"
+}
