-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path04.02-opapolicy.rego
More file actions
52 lines (41 loc) · 1.43 KB
/
04.02-opapolicy.rego
File metadata and controls
52 lines (41 loc) · 1.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Rego Samples
# See https://play.openpolicyagent.org
# Sample 1: user access
package myapi.policy
import data.myapi.acl
import input
default allow = false
allow {
access = acl[input.user]
access[_] == input.access
}
whocan[user] {
access = acl[user]
access[_] == input.access
}
# Sample 2: Image Safety
# ------------
#
# This example prevents Kubernetes Pods from using containers from untrusted image
# registries. For simplicity, this example does NOT cover initContainers. To
# implement this policy, the rule needs to _search_ across the array of containers
# contained in every Pod resource. This example shows how to:
#
# * Use the 'some' keyword to declare local variables.
# * Iterate/search across JSON arrays.
#
# For additional information see:
#
# * Rego `some` keyword: https://www.openpolicyagent.org/docs/latest/policy-language/#some-keyword
# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
package kubernetes.validating.images
deny[msg] {
# The `some` keyword declares local variables. This rule declares a variable
# called `i`. The rule asks if there is some array index `i` such that the value
# of the array element's `"image"` field does not start with "hooli.com/".
some i
input.request.kind.kind == "Pod"
image := input.request.object.spec.containers[i].image
not startswith(image, "xyzyz.com/")
msg := sprintf("Image '%v' comes from untrusted registry", [image])
}