-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathtemplate.yaml
41 lines (36 loc) · 1.56 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: denyemployeeonlyfeatures
spec:
crd:
spec:
names:
kind: DenyEmployeeOnlyFeatures
targets:
- target: admission.k8s.gatekeeper.sh
rego: |-
package denyemployeeonlyfeatures
sasLabel := "state.aaw.statcan.gc.ca/exists-non-sas-notebook-user"
sasImagePrefix := "k8scc01covidacr.azurecr.io/sas:"
ns := input.review.object.metadata.namespace
profile := data.inventory.cluster["kubeflow.org/v1"]["Profile"][ns]
profileLabelValue := profile.metadata.labels[sasLabel]
# Pod Object
violation[{"msg": msg}] {
input.review.object.kind == "Pod"
container := input.review.object.spec.containers[_]
existsSasContainerAndLabelViolation(container, profileLabelValue)
msg := sprintf("Pod has %s=%v and container uses a SAS image %v", [sasLabel, profileLabelValue, container.image])
}
# Notebook Object
violation[{"msg": msg}] {
input.review.object.kind == "Notebook"
container := input.review.object.spec.template.spec.containers[_]
existsSasContainerAndLabelViolation(container, profileLabelValue)
msg := sprintf("Notebook has %s=%v and container uses a SAS image %v", [sasLabel, profileLabelValue, container.image])
}
existsSasContainerAndLabelViolation(container, profileLabelValue) {
profileLabelValue == "true"
startswith(container.image, sasImagePrefix)
}