ashutosh-narkar/ingress-whitelist_test.rego

## ingress-whitelist_test.rego
package kubernetes.admission

test_deny_ingress_good {
    in := {
        "kind": "AdmissionReview",
        "apiVersion":"admission.k8s.io/v1beta1",
        "request":{
            "uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a",
            "kind": {
                "group": "extensions",
                "version": "v1beta1",
                "kind": "Ingress"
            },
            "resource":{
                "group": "extensions",
                "version": "v1beta1",
                "resource": "ingresses"
            },
            "namespace": "production",
            "operation": "CREATE",
            "userInfo": {
                "username": "minikube-user",
                "groups": [
                    "system:masters",
                    "system:authenticated"
                    ]
            },
            "object": {
                "metadata": {
                    "name": "ingress-ok",
                    "namespace": "production",
                    "uid": "66c73498-1b4c-11e9-a7d2-080027f75b4a",
                    "generation": 1,
                    "creationTimestamp": "2019-01-18T18:10:56Z"
                },
                "spec": {
                    "rules":[
                        {
                            "host": "signin.acmecorp.com",
                            "http":{
                                "paths":[
                                    {
                                        "backend": {
                                            "serviceName": "nginx",
                                            "servicePort": 80
                                        }
                                    }
                                ]
                            }
                        }
                    ]
                },
                "status":{
                    "loadBalancer":{}
                }
            },
            "oldObject": null
        }
    }

    p := {
            "production": {
                "metadata": {
                    "annotations": {
                        "ingress-whitelist": "*.acmecorp.com"
                    }
                }
            }
        }

    violations := deny
        with input as in
        with data.kubernetes.namespaces as p

    count(violations) == 0
}

test_deny_ingress_bad {
    in := {
        "kind": "AdmissionReview",
        "apiVersion":"admission.k8s.io/v1beta1",
        "request":{
            "uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a",
            "kind": {
                "group": "extensions",
                "version": "v1beta1",
                "kind": "Ingress"
            },
            "resource":{
                "group": "extensions",
                "version": "v1beta1",
                "resource": "ingresses"
            },
            "namespace": "production",
            "operation": "CREATE",
            "userInfo": {
                "username": "minikube-user",
                "groups": [
                    "system:masters",
                    "system:authenticated"
                    ]
            },
            "object": {
                "metadata": {
                    "name": "ingress-bad",
                    "namespace": "qa",
                    "uid": "66c73498-1b4c-11e9-a7d2-080027f75b4a",
                    "generation": 1,
                    "creationTimestamp": "2019-01-18T18:10:56Z"
                },
                "spec": {
                    "rules":[
                        {
                            "host": "acmecorp.com",
                            "http":{
                                "paths":[
                                    {
                                        "backend": {
                                            "serviceName": "nginx",
                                            "servicePort": 80
                                        }
                                    }
                                ]
                            }
                        }
                    ]
                },
                "status":{
                    "loadBalancer":{}
                }
            },
            "oldObject": null
        }
    }

    p := {
            "qa": {
                "metadata": {
                    "annotations": {
                        "ingress-whitelist":  "*.qa.acmecorp.com,*.internal.acmecorp.com"
                    }
                }
            }
        }

    violations := deny
        with input as in
        with data.kubernetes.namespaces as p

    count(violations) == 1
    violations[reason]
    contains(reason, "invalid ingress host \"acmecorp.com\"")
}
	package kubernetes.admission

	test_deny_ingress_good {
	in := {
	"kind": "AdmissionReview",
	"apiVersion":"admission.k8s.io/v1beta1",
	"request":{
	"uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a",
	"kind": {
	"group": "extensions",
	"version": "v1beta1",
	"kind": "Ingress"
	},
	"resource":{
	"group": "extensions",
	"version": "v1beta1",
	"resource": "ingresses"
	},
	"namespace": "production",
	"operation": "CREATE",
	"userInfo": {
	"username": "minikube-user",
	"groups": [
	"system:masters",
	"system:authenticated"
	]
	},
	"object": {
	"metadata": {
	"name": "ingress-ok",
	"namespace": "production",
	"uid": "66c73498-1b4c-11e9-a7d2-080027f75b4a",
	"generation": 1,
	"creationTimestamp": "2019-01-18T18:10:56Z"
	},
	"spec": {
	"rules":[
	{
	"host": "signin.acmecorp.com",
	"http":{
	"paths":[
	{
	"backend": {
	"serviceName": "nginx",
	"servicePort": 80
	}
	}
	]
	}
	}
	]
	},
	"status":{
	"loadBalancer":{}
	}
	},
	"oldObject": null
	}
	}

	p := {
	"production": {
	"metadata": {
	"annotations": {
	"ingress-whitelist": "*.acmecorp.com"
	}
	}
	}
	}

	violations := deny
	with input as in
	with data.kubernetes.namespaces as p

	count(violations) == 0
	}

	test_deny_ingress_bad {
	in := {
	"kind": "AdmissionReview",
	"apiVersion":"admission.k8s.io/v1beta1",
	"request":{
	"uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a",
	"kind": {
	"group": "extensions",
	"version": "v1beta1",
	"kind": "Ingress"
	},
	"resource":{
	"group": "extensions",
	"version": "v1beta1",
	"resource": "ingresses"
	},
	"namespace": "production",
	"operation": "CREATE",
	"userInfo": {
	"username": "minikube-user",
	"groups": [
	"system:masters",
	"system:authenticated"
	]
	},
	"object": {
	"metadata": {
	"name": "ingress-bad",
	"namespace": "qa",
	"uid": "66c73498-1b4c-11e9-a7d2-080027f75b4a",
	"generation": 1,
	"creationTimestamp": "2019-01-18T18:10:56Z"
	},
	"spec": {
	"rules":[
	{
	"host": "acmecorp.com",
	"http":{
	"paths":[
	{
	"backend": {
	"serviceName": "nginx",
	"servicePort": 80
	}
	}
	]
	}
	}
	]
	},
	"status":{
	"loadBalancer":{}
	}
	},
	"oldObject": null
	}
	}

	p := {
	"qa": {
	"metadata": {
	"annotations": {
	"ingress-whitelist": ".qa.acmecorp.com,.internal.acmecorp.com"
	}
	}
	}
	}

	violations := deny
	with input as in
	with data.kubernetes.namespaces as p

	count(violations) == 1
	violations[reason]
	contains(reason, "invalid ingress host \"acmecorp.com\"")
	}