Maximilian Siegert Igelchen1

## values.yml
# open-policy-agent/helm/opa/values.yml
...
validating: true
mutating: true
...

## trust-pinning-test.yaml
# trust-pinning-test
apiVersion: v1
kind: Pod
metadata:
  name: trust-pinning-test
  namespace: default
spec:
  containers:
  # trigger rule 1:
  - image: GUN/<hub-id>/nginx:1

## rules.rego
package policy.validating

operations := {"CREATE", "UPDATE"}

kind := {"Pod", "Deployment"}

# rule to deny digests for pods and deployments
deny[msg] {
	operations[input.request.operation]
	kind[input.request.kind.kind]

## values.yml
# open-policy-agent/helm/opa/values.yml
...
validating: true
mutating: false
...

## main.rego
package policy.mutating

import data.k8s.matches

main = {
	"apiVersion": "admission.k8s.io/v1",
	"kind": "AdmissionReview",
	"response": response,
}
	# open-policy-agent/helm/opa/values.yml
	...
	validating: true
	mutating: true
	...
	# trust-pinning-test
	apiVersion: v1
	kind: Pod
	metadata:
	name: trust-pinning-test
	namespace: default
	spec:
	containers:
	# trigger rule 1:
	- image: GUN/<hub-id>/nginx:1
	package policy.validating

	operations := {"CREATE", "UPDATE"}

	kind := {"Pod", "Deployment"}

	# rule to deny digests for pods and deployments
	deny[msg] {
	operations[input.request.operation]
	kind[input.request.kind.kind]
	# open-policy-agent/helm/opa/values.yml
	...
	validating: true
	mutating: false
	...
	package policy.mutating

	import data.k8s.matches

	main = {
	"apiVersion": "admission.k8s.io/v1",
	"kind": "AdmissionReview",
	"response": response,
	}