Deploy GitHub Pages

examples/openpolicyagent/rule.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sBlockIngressPathType
+metadata:
+  name: implspecificisblocked
+spec:
+  match:
+    kinds:
+      - apiGroups: ["networking.k8s.io"]
+        kinds: ["Ingress"]
+  parameters:
+    namespacesExceptions:
+      - "privileged"
+    blockedTypes:
+      - "ImplementationSpecific"

examples/openpolicyagent/template.yaml

@@ -0,0 +1,40 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblockingresspathtype
+  annotations:
+    metadata.gatekeeper.sh/title: "Block a pathType usage"
+    description: >-
+      Users should not be able to use specific pathTypes
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockIngressPathType
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            blockedTypes:
+              type: array
+              items: 
+                type: string 
+            namespacesExceptions:
+              type: array
+              items: 
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package K8sBlockIngressPathType
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Ingress"
+          ns := input.review.object.metadata.namespace
+          excemptNS := [good | excempts = input.parameters.namespacesExceptions[_] ; good = excempts == ns]
+          not any(excemptNS)
+          pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "")
+          blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType]
+          any(blockedPath)
+          msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType])
+        }

examples/openpolicyagent/tests/should-allow-ns-except.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  creationTimestamp: null
+  name: simple
+  namespace: privileged
+spec:
+  rules:
+  - host: foo1.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: svc1
+            port:
+              number: 8080
+        path: /bar
+        pathType: ImplementationSpecific

examples/openpolicyagent/tests/should-allow.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  creationTimestamp: null
+  name: simple
+spec:
+  rules:
+  - host: foo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: svc1
+            port:
+              number: 8080
+        path: /bar
+        pathType: Exact

examples/openpolicyagent/tests/should-deny.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  creationTimestamp: null
+  name: simple
+spec:
+  rules:
+  - host: foo2.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: svc1
+            port:
+              number: 8080
+        path: /bar
+        pathType: ImplementationSpecific