manifests/cscingressconstraint-templa...

48 lines
1.4 KiB
YAML
Raw Permalink Normal View History

2021-12-23 17:09:45 -05:00
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: cscingressconstraint
spec:
crd:
spec:
names:
kind: CSCIngressConstraint
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package cscingressconstraint
operations = {"CREATE", "UPDATE"}
subdomain = ".k8s.csclub.cloud"
violation[{"msg": msg, "details": {}}] {
input.review.kind.kind == "Ingress"
operations[input.review.operation]
not is_admin_user(input.review.userInfo)
username := input.review.userInfo.username
host := input.review.object.spec.rules[_].host
not is_valid_domain(username, host)
msg := "Invalid domain name, please contact the Systems Committee for assistance"
}
is_admin_user(userInfo) {
userInfo.groups[_] == "system:masters"
}
is_valid_domain(username, host) {
endswith(host, subdomain)
prefix := trim_suffix(host, subdomain)
parts := split(prefix, ".")
last_part := parts[count(parts) - 1]
is_valid_last_part_of_prefix(username, last_part)
}
is_valid_last_part_of_prefix(username, last_part) {
username == last_part
}
is_valid_last_part_of_prefix(username, last_part) {
suffix := concat("", ["-", username])
endswith(last_part, suffix)
}