Deploy GitHub Pages
This commit is contained in:
parent
be1fab20d2
commit
9512d17973
69 changed files with 246 additions and 114 deletions
9
examples/openpolicyagent/index.html
Normal file
9
examples/openpolicyagent/index.html
Normal file
File diff suppressed because one or more lines are too long
14
examples/openpolicyagent/rule.yaml
Normal file
14
examples/openpolicyagent/rule.yaml
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: constraints.gatekeeper.sh/v1beta1
|
||||
kind: K8sBlockIngressPathType
|
||||
metadata:
|
||||
name: implspecificisblocked
|
||||
spec:
|
||||
match:
|
||||
kinds:
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
kinds: ["Ingress"]
|
||||
parameters:
|
||||
namespacesExceptions:
|
||||
- "privileged"
|
||||
blockedTypes:
|
||||
- "ImplementationSpecific"
|
||||
40
examples/openpolicyagent/template.yaml
Normal file
40
examples/openpolicyagent/template.yaml
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
apiVersion: templates.gatekeeper.sh/v1
|
||||
kind: ConstraintTemplate
|
||||
metadata:
|
||||
name: k8sblockingresspathtype
|
||||
annotations:
|
||||
metadata.gatekeeper.sh/title: "Block a pathType usage"
|
||||
description: >-
|
||||
Users should not be able to use specific pathTypes
|
||||
spec:
|
||||
crd:
|
||||
spec:
|
||||
names:
|
||||
kind: K8sBlockIngressPathType
|
||||
validation:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
blockedTypes:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
namespacesExceptions:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
targets:
|
||||
- target: admission.k8s.gatekeeper.sh
|
||||
rego: |
|
||||
package K8sBlockIngressPathType
|
||||
|
||||
violation[{"msg": msg}] {
|
||||
input.review.kind.kind == "Ingress"
|
||||
ns := input.review.object.metadata.namespace
|
||||
excemptNS := [good | excempts = input.parameters.namespacesExceptions[_] ; good = excempts == ns]
|
||||
not any(excemptNS)
|
||||
pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "")
|
||||
blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType]
|
||||
any(blockedPath)
|
||||
msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType])
|
||||
}
|
||||
18
examples/openpolicyagent/tests/should-allow-ns-except.yaml
Normal file
18
examples/openpolicyagent/tests/should-allow-ns-except.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: simple
|
||||
namespace: privileged
|
||||
spec:
|
||||
rules:
|
||||
- host: foo1.com
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: svc1
|
||||
port:
|
||||
number: 8080
|
||||
path: /bar
|
||||
pathType: ImplementationSpecific
|
||||
17
examples/openpolicyagent/tests/should-allow.yaml
Normal file
17
examples/openpolicyagent/tests/should-allow.yaml
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: simple
|
||||
spec:
|
||||
rules:
|
||||
- host: foo.com
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: svc1
|
||||
port:
|
||||
number: 8080
|
||||
path: /bar
|
||||
pathType: Exact
|
||||
17
examples/openpolicyagent/tests/should-deny.yaml
Normal file
17
examples/openpolicyagent/tests/should-deny.yaml
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: simple
|
||||
spec:
|
||||
rules:
|
||||
- host: foo2.com
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: svc1
|
||||
port:
|
||||
number: 8080
|
||||
path: /bar
|
||||
pathType: ImplementationSpecific
|
||||
Loading…
Add table
Add a link
Reference in a new issue