Created
November 23, 2021 03:26
-
-
Save antigenius0910/e6a342cc6355387fca1ecb7500eb1b89 to your computer and use it in GitHub Desktop.
Gatekeeper policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: constraints.gatekeeper.sh/v1beta1 | |
kind: K8sNsAuth | |
metadata: | |
name: block-deployment-prohibit-namespaces | |
spec: | |
match: | |
kinds: | |
- apiGroups: [""] | |
kinds: ["*"] | |
parameters: | |
namespaces: | |
- "default" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: nginx-deployment | |
namespace: default | |
labels: | |
app: nginx | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
app: nginx | |
template: | |
metadata: | |
labels: | |
app: nginx | |
spec: | |
containers: | |
- name: nginx | |
image: nginx:1.14.2 | |
ports: | |
- containerPort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: templates.gatekeeper.sh/v1beta1 | |
kind: ConstraintTemplate | |
metadata: | |
name: k8snsauth | |
spec: | |
crd: | |
spec: | |
names: | |
kind: K8sNsAuth | |
validation: | |
openAPIV3Schema: | |
properties: | |
namespaces: | |
type: array | |
items: string | |
targets: | |
- target: admission.k8s.gatekeeper.sh | |
rego: | | |
package k8sroleauth | |
violation[{ "msg": msg}]{ | |
### following line will not work for "deployment" kind since the debug output is "Pod" not "Deployment" | |
#input.review.object.kind == "Deployment" | |
namespace := input.review.object.metadata.namespace | |
disallowed_namespace := input.parameters.namespaces[_] | |
contains(disallowed_namespace,namespace) | |
debug := input.review.object.kind | |
msg := sprintf("create resources under default namespace is not allowed on envoy prod cluster", [debug])} |
Author
antigenius0910
commented
Nov 23, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment