forked from cloud/manifests
48 lines
1.4 KiB
YAML
48 lines
1.4 KiB
YAML
apiVersion: templates.gatekeeper.sh/v1beta1
|
|
kind: ConstraintTemplate
|
|
metadata:
|
|
name: cscingressconstraint
|
|
spec:
|
|
crd:
|
|
spec:
|
|
names:
|
|
kind: CSCIngressConstraint
|
|
targets:
|
|
- target: admission.k8s.gatekeeper.sh
|
|
rego: |
|
|
package cscingressconstraint
|
|
|
|
operations = {"CREATE", "UPDATE"}
|
|
subdomain = ".k8s.csclub.cloud"
|
|
|
|
violation[{"msg": msg, "details": {}}] {
|
|
input.review.kind.kind == "Ingress"
|
|
operations[input.review.operation]
|
|
not is_admin_user(input.review.userInfo)
|
|
username := input.review.userInfo.username
|
|
host := input.review.object.spec.rules[_].host
|
|
not is_valid_domain(username, host)
|
|
msg := "Invalid domain name, please contact the Systems Committee for assistance"
|
|
}
|
|
|
|
is_admin_user(userInfo) {
|
|
userInfo.groups[_] == "system:masters"
|
|
}
|
|
|
|
is_valid_domain(username, host) {
|
|
endswith(host, subdomain)
|
|
prefix := trim_suffix(host, subdomain)
|
|
parts := split(prefix, ".")
|
|
last_part := parts[count(parts) - 1]
|
|
is_valid_last_part_of_prefix(username, last_part)
|
|
}
|
|
|
|
is_valid_last_part_of_prefix(username, last_part) {
|
|
username == last_part
|
|
}
|
|
|
|
is_valid_last_part_of_prefix(username, last_part) {
|
|
suffix := concat("", ["-", username])
|
|
endswith(last_part, suffix)
|
|
}
|