plexsystems
diff --git a/‎examples/.regal/config.yaml‎
Lines changed: 4 additions & 0 deletions b/‎examples/.regal/config.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎…ny-warn-deprecated-api-versions/src.rego‎ ‎…ny_warn_deprecated_api_versions/src.rego‎examples/any-warn-deprecated-api-versions/src.rego renamed to examples/any_warn_deprecated_api_versions/src.rego
Lines changed: 4 additions & 3 deletions b/‎…ny-warn-deprecated-api-versions/src.rego‎ ‎…ny_warn_deprecated_api_versions/src.rego‎examples/any-warn-deprecated-api-versions/src.rego renamed to examples/any_warn_deprecated_api_versions/src.rego
Lines changed: 4 additions & 3 deletions
diff --git a/‎…rn-deprecated-api-versions/src_test.rego‎ ‎…rn_deprecated_api_versions/src_test.rego‎examples/any-warn-deprecated-api-versions/src_test.rego renamed to examples/any_warn_deprecated_api_versions/src_test.rego
Lines changed: 5 additions & 3 deletions b/‎…rn-deprecated-api-versions/src_test.rego‎ ‎…rn_deprecated_api_versions/src_test.rego‎examples/any-warn-deprecated-api-versions/src_test.rego renamed to examples/any_warn_deprecated_api_versions/src_test.rego
Lines changed: 5 additions & 3 deletions
diff --git a/‎…ontainer-deny-added-caps/constraint.yaml‎ ‎…ontainer_deny_added_caps/constraint.yaml‎examples/container-deny-added-caps/constraint.yaml renamed to examples/container_deny_added_caps/constraint.yaml b/‎…ontainer-deny-added-caps/constraint.yaml‎ ‎…ontainer_deny_added_caps/constraint.yaml‎examples/container-deny-added-caps/constraint.yaml renamed to examples/container_deny_added_caps/constraint.yaml
diff --git a/‎…mples/container-deny-added-caps/src.rego‎ ‎…mples/container_deny_added_caps/src.rego‎examples/container-deny-added-caps/src.rego renamed to examples/container_deny_added_caps/src.rego
Lines changed: 3 additions & 2 deletions b/‎…mples/container-deny-added-caps/src.rego‎ ‎…mples/container_deny_added_caps/src.rego‎examples/container-deny-added-caps/src.rego renamed to examples/container_deny_added_caps/src.rego
Lines changed: 3 additions & 2 deletions
diff --git a/‎…/container-deny-added-caps/src_test.rego‎ ‎…/container_deny_added_caps/src_test.rego‎examples/container-deny-added-caps/src_test.rego renamed to examples/container_deny_added_caps/src_test.rego
Lines changed: 4 additions & 2 deletions b/‎…/container-deny-added-caps/src_test.rego‎ ‎…/container_deny_added_caps/src_test.rego‎examples/container-deny-added-caps/src_test.rego renamed to examples/container_deny_added_caps/src_test.rego
Lines changed: 4 additions & 2 deletions
diff --git a/‎…/container-deny-added-caps/template.yaml‎ ‎…/container_deny_added_caps/template.yaml‎examples/container-deny-added-caps/template.yaml renamed to examples/container_deny_added_caps/template.yaml
Lines changed: 3 additions & 2 deletions b/‎…/container-deny-added-caps/template.yaml‎ ‎…/container_deny_added_caps/template.yaml‎examples/container-deny-added-caps/template.yaml renamed to examples/container_deny_added_caps/template.yaml
Lines changed: 3 additions & 2 deletions
diff --git a/‎…ontainer-deny-escalation/constraint.yaml‎ ‎…ontainer_deny_escalation/constraint.yaml‎examples/container-deny-escalation/constraint.yaml renamed to examples/container_deny_escalation/constraint.yaml b/‎…ontainer-deny-escalation/constraint.yaml‎ ‎…ontainer_deny_escalation/constraint.yaml‎examples/container-deny-escalation/constraint.yaml renamed to examples/container_deny_escalation/constraint.yaml
diff --git a/‎…mples/container-deny-escalation/src.rego‎ ‎…mples/container_deny_escalation/src.rego‎examples/container-deny-escalation/src.rego renamed to examples/container_deny_escalation/src.rego
Lines changed: 5 additions & 4 deletions b/‎…mples/container-deny-escalation/src.rego‎ ‎…mples/container_deny_escalation/src.rego‎examples/container-deny-escalation/src.rego renamed to examples/container_deny_escalation/src.rego
Lines changed: 5 additions & 4 deletions
diff --git a/‎…/container-deny-escalation/src_test.rego‎ ‎…/container_deny_escalation/src_test.rego‎examples/container-deny-escalation/src_test.rego renamed to examples/container_deny_escalation/src_test.rego
Lines changed: 4 additions & 2 deletions b/‎…/container-deny-escalation/src_test.rego‎ ‎…/container_deny_escalation/src_test.rego‎examples/container-deny-escalation/src_test.rego renamed to examples/container_deny_escalation/src_test.rego
Lines changed: 4 additions & 2 deletions
@@ -5,6 +5,8 @@ rules:
   idiomatic:
     no-defined-entrypoint:
       level: ignore
+    directory-package-mismatch:
+       level: ignore
   imports:
     prefer-package-imports:
       level: ignore
@@ -17,6 +19,8 @@ rules:
       level: ignore
     prefer-snake-case:
       level: ignore
+    rule-name-repeats-package:
+      level: ignore
   testing:
     test-outside-test-package:
       level: ignore
@@ -15,13 +15,14 @@
 package any_warn_deprecated_api_versions
 
 import data.lib.core
+import rego.v1
 
 policyID := "P0001"
 
-warn[msg] {
-	resources := ["DaemonSet", "Deployment"]
+warn contains msg if {
 	core.apiVersion == "extensions/v1beta1"
-	core.kind == resources[_]
+	resources := ["DaemonSet", "Deployment"]
+	core.kind in resources
 
 	msg := core.format_with_id(
 		sprintf("API extensions/v1beta1 for %s has been deprecated, use apps/v1 instead.", [core.kind]),
 
@@ -1,6 +1,8 @@
 package any_warn_deprecated_api_versions
 
-test_matching {
+import rego.v1
+
+test_matching if {
 	warns := warn with input as {
 		"kind": "Deployment",
 		"metadata": {"name": "test"},
@@ -9,7 +11,7 @@ test_matching {
 	count(warns) == 1
 }
 
-test_different_kind {
+test_different_kind if {
 	warns := warn with input as {
 		"kind": "test",
 		"metadata": {"name": "test"},
@@ -18,7 +20,7 @@ test_different_kind {
 	count(warns) == 0
 }
 
-test_different_apiversion {
+test_different_apiversion if {
 	warns := warn with input as {
 		"kind": "Deployment",
 		"metadata": {"name": "test"},
 
@@ -24,10 +24,11 @@ package container_deny_added_caps
 import data.lib.core
 import data.lib.pods
 import data.lib.security
+import rego.v1
 
 policyID := "P1001"
 
-violation[msg] {
+violation contains msg if {
 	some container
 	pods.containers[container]
 	not container_dropped_all_capabilities(container)
@@ -38,6 +39,6 @@ violation[msg] {
 	)
 }
 
-container_dropped_all_capabilities(container) {
+container_dropped_all_capabilities(container) if {
 	security.dropped_capability(container, "all")
 }
@@ -1,9 +1,11 @@
 package container_deny_added_caps
 
-test_dropped_all {
+import rego.v1
+
+test_dropped_all if {
 	container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["all"]}}})
 }
 
-test_dropped_none {
+test_dropped_none if {
 	not container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["none"]}}})
 }
@@ -130,10 +130,11 @@ spec:
       import data.lib.core
       import data.lib.pods
       import data.lib.security
+      import rego.v1
 
       policyID := "P1001"
 
-      violation[msg] {
+      violation contains msg if {
         some container
         pods.containers[container]
         not container_dropped_all_capabilities(container)
@@ -144,7 +145,7 @@ spec:
         )
       }
 
-      container_dropped_all_capabilities(container) {
+      container_dropped_all_capabilities(container) if {
         security.dropped_capability(container, "all")
       }
     target: admission.k8s.gatekeeper.sh
 
@@ -20,25 +20,26 @@ package container_deny_escalation
 
 import data.lib.core
 import data.lib.pods
+import rego.v1
 
 policyID := "P1002"
 
-violation[msg] {
+violation contains msg if {
 	some container
 	pods.containers[container]
 	container_allows_escalation(container)
 
 	msg := core.format_with_id(sprintf("%s/%s: Allows privilege escalation", [core.kind, core.name]), policyID)
 }
 
-container_allows_escalation(c) {
+container_allows_escalation(c) if {
 	c.securityContext.allowPrivilegeEscalation == true
 }
 
-container_allows_escalation(c) {
+container_allows_escalation(c) if {
 	core.missing_field(c, "securityContext")
 }
 
-container_allows_escalation(c) {
+container_allows_escalation(c) if {
 	core.missing_field(c.securityContext, "allowPrivilegeEscalation")
 }
@@ -1,9 +1,11 @@
 package container_deny_escalation
 
-test_allowescalation_false {
+import rego.v1
+
+test_allowescalation_false if {
 	not container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": false}})
 }
 
-test_allowescalation_true {
+test_allowescalation_true if {
 	container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": true}})
 }
Original file line number	Diff line number	Diff line change
`@@ -24,10 +24,11 @@ package container_deny_added_caps`
`24`	`24`	`import data.lib.core`
`25`	`25`	`import data.lib.pods`
`26`	`26`	`import data.lib.security`
	`27`	`+import rego.v1`
`27`	`28`
`28`	`29`	`policyID := "P1001"`
`29`	`30`
`30`		`-violation[msg] {`
	`31`	`+violation contains msg if {`
`31`	`32`	`some container`
`32`	`33`	`pods.containers[container]`
`33`	`34`	`not container_dropped_all_capabilities(container)`
`@@ -38,6 +39,6 @@ violation[msg] {`
`38`	`39`	`)`
`39`	`40`	`}`
`40`	`41`
`41`		`-container_dropped_all_capabilities(container) {`
	`42`	`+container_dropped_all_capabilities(container) if {`
`42`	`43`	`security.dropped_capability(container, "all")`
`43`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,11 @@`
`1`	`1`	`package container_deny_added_caps`
`2`	`2`
`3`		`-test_dropped_all {`
	`3`	`+import rego.v1`
	`4`	`+`
	`5`	`+test_dropped_all if {`
`4`	`6`	`container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["all"]}}})`
`5`	`7`	`}`
`6`	`8`
`7`		`-test_dropped_none {`
	`9`	`+test_dropped_none if {`
`8`	`10`	`not container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["none"]}}})`
`9`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -130,10 +130,11 @@ spec:`
`130`	`130`	`import data.lib.core`
`131`	`131`	`import data.lib.pods`
`132`	`132`	`import data.lib.security`
	`133`	`+ import rego.v1`
`133`	`134`
`134`	`135`	`policyID := "P1001"`
`135`	`136`
`136`		`- violation[msg] {`
	`137`	`+ violation contains msg if {`
`137`	`138`	`some container`
`138`	`139`	`pods.containers[container]`
`139`	`140`	`not container_dropped_all_capabilities(container)`
`@@ -144,7 +145,7 @@ spec:`
`144`	`145`	`)`
`145`	`146`	`}`
`146`	`147`
`147`		`- container_dropped_all_capabilities(container) {`
	`148`	`+ container_dropped_all_capabilities(container) if {`
`148`	`149`	`security.dropped_capability(container, "all")`
`149`	`150`	`}`
`150`	`151`	`target: admission.k8s.gatekeeper.sh`
Original file line number	Diff line number	Diff line change
`@@ -20,25 +20,26 @@ package container_deny_escalation`
`20`	`20`
`21`	`21`	`import data.lib.core`
`22`	`22`	`import data.lib.pods`
	`23`	`+import rego.v1`
`23`	`24`
`24`	`25`	`policyID := "P1002"`
`25`	`26`
`26`		`-violation[msg] {`
	`27`	`+violation contains msg if {`
`27`	`28`	`some container`
`28`	`29`	`pods.containers[container]`
`29`	`30`	`container_allows_escalation(container)`
`30`	`31`
`31`	`32`	`msg := core.format_with_id(sprintf("%s/%s: Allows privilege escalation", [core.kind, core.name]), policyID)`
`32`	`33`	`}`
`33`	`34`
`34`		`-container_allows_escalation(c) {`
	`35`	`+container_allows_escalation(c) if {`
`35`	`36`	`c.securityContext.allowPrivilegeEscalation == true`
`36`	`37`	`}`
`37`	`38`
`38`		`-container_allows_escalation(c) {`
	`39`	`+container_allows_escalation(c) if {`
`39`	`40`	`core.missing_field(c, "securityContext")`
`40`	`41`	`}`
`41`	`42`
`42`		`-container_allows_escalation(c) {`
	`43`	`+container_allows_escalation(c) if {`
`43`	`44`	`core.missing_field(c.securityContext, "allowPrivilegeEscalation")`
`44`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,11 @@`
`1`	`1`	`package container_deny_escalation`
`2`	`2`
`3`		`-test_allowescalation_false {`
	`3`	`+import rego.v1`
	`4`	`+`
	`5`	`+test_allowescalation_false if {`
`4`	`6`	`not container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": false}})`
`5`	`7`	`}`
`6`	`8`
`7`		`-test_allowescalation_true {`
	`9`	`+test_allowescalation_true if {`
`8`	`10`	`container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": true}})`
`9`	`11`	`}`