Ashutosh Narkar ashutosh-narkar
ashutosh-narkar
/ policy.rego
Last active
November 19, 2021 16:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package envoy.authz | |
| import input.attributes.request.http as http_request | |
| default allow = false | |
| # allow Frontend service to access Database service | |
| allow { | |
| http_request.method == "GET" | |
| svc_spiffe_id == "spiffe://acme.com/frontend" |
ashutosh-narkar
/ deny_privilege_escalation.rego
Created
July 23, 2021 17:41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package kubernetes.validating.deny_privilege_escalation | |
| deny[msg] { | |
| some c | |
| input_container[c] | |
| not c.securityContext.allowPrivilegeEscalation == false | |
| msg := sprintf("Container '%v' should not have allowPrivilegeEscalation set to true.", [c.name]) | |
| } | |
| input_container[container] { |
ashutosh-narkar
/ deny_host_namespaces.rego
Created
July 23, 2021 17:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package kubernetes.validating.deny_host_namespaces | |
| deny[msg] { | |
| input.request.kind.kind == "Pod" | |
| input.request.object.spec.hostNetwork == true | |
| msg := "Pod cannot be created with hostNetwork enabled." | |
| } | |
| deny[msg] { | |
| input.request.kind.kind == "Pod" |
ashutosh-narkar
/ deny_privileged_mode.rego
Created
July 23, 2021 17:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package kubernetes.validating.deny_privileged_mode | |
| deny[msg] { | |
| some c | |
| input_container[c] | |
| c.securityContext.privileged | |
| msg := sprintf("Container '%v' should not run in privileged mode.", [c.name]) | |
| } | |
| input_container[container] { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Minikube | |
| ======== | |
| minikube start --memory=16384 --cpus=4 --kubernetes-version=v1.14.2 | |
| 1) Istio-Envoy-OPA | |
| =================== | |
| $ GOMAXPROCS=1 go test -bench=BenchmarkHTTP -benchtime=5s | |
| goos: darwin | |
| goarch: amd64 |
ashutosh-narkar
/ ingress-whitelist_test.rego
Last active
March 20, 2019 21:18
Test for Ingress Whitelist Admission Control
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package kubernetes.admission | |
| test_deny_ingress_good { | |
| in := { | |
| "kind": "AdmissionReview", | |
| "apiVersion":"admission.k8s.io/v1beta1", | |
| "request":{ | |
| "uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a", | |
| "kind": { | |
| "group": "extensions", |