Skip to content

Instantly share code, notes, and snippets.

@ashutosh-narkar
Last active March 20, 2019 21:18
Show Gist options
  • Save ashutosh-narkar/23dd3305f1ca5ee36bb4a428fc2e87fd to your computer and use it in GitHub Desktop.
Save ashutosh-narkar/23dd3305f1ca5ee36bb4a428fc2e87fd to your computer and use it in GitHub Desktop.
Test for Ingress Whitelist Admission Control
package kubernetes.admission
test_deny_ingress_good {
in := {
"kind": "AdmissionReview",
"apiVersion":"admission.k8s.io/v1beta1",
"request":{
"uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a",
"kind": {
"group": "extensions",
"version": "v1beta1",
"kind": "Ingress"
},
"resource":{
"group": "extensions",
"version": "v1beta1",
"resource": "ingresses"
},
"namespace": "production",
"operation": "CREATE",
"userInfo": {
"username": "minikube-user",
"groups": [
"system:masters",
"system:authenticated"
]
},
"object": {
"metadata": {
"name": "ingress-ok",
"namespace": "production",
"uid": "66c73498-1b4c-11e9-a7d2-080027f75b4a",
"generation": 1,
"creationTimestamp": "2019-01-18T18:10:56Z"
},
"spec": {
"rules":[
{
"host": "signin.acmecorp.com",
"http":{
"paths":[
{
"backend": {
"serviceName": "nginx",
"servicePort": 80
}
}
]
}
}
]
},
"status":{
"loadBalancer":{}
}
},
"oldObject": null
}
}
p := {
"production": {
"metadata": {
"annotations": {
"ingress-whitelist": "*.acmecorp.com"
}
}
}
}
violations := deny
with input as in
with data.kubernetes.namespaces as p
count(violations) == 0
}
test_deny_ingress_bad {
in := {
"kind": "AdmissionReview",
"apiVersion":"admission.k8s.io/v1beta1",
"request":{
"uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a",
"kind": {
"group": "extensions",
"version": "v1beta1",
"kind": "Ingress"
},
"resource":{
"group": "extensions",
"version": "v1beta1",
"resource": "ingresses"
},
"namespace": "production",
"operation": "CREATE",
"userInfo": {
"username": "minikube-user",
"groups": [
"system:masters",
"system:authenticated"
]
},
"object": {
"metadata": {
"name": "ingress-bad",
"namespace": "qa",
"uid": "66c73498-1b4c-11e9-a7d2-080027f75b4a",
"generation": 1,
"creationTimestamp": "2019-01-18T18:10:56Z"
},
"spec": {
"rules":[
{
"host": "acmecorp.com",
"http":{
"paths":[
{
"backend": {
"serviceName": "nginx",
"servicePort": 80
}
}
]
}
}
]
},
"status":{
"loadBalancer":{}
}
},
"oldObject": null
}
}
p := {
"qa": {
"metadata": {
"annotations": {
"ingress-whitelist": "*.qa.acmecorp.com,*.internal.acmecorp.com"
}
}
}
}
violations := deny
with input as in
with data.kubernetes.namespaces as p
count(violations) == 1
violations[reason]
contains(reason, "invalid ingress host \"acmecorp.com\"")
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment