This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package envoy.authz | |
import input.attributes.request.http as http_request | |
default allow = false | |
# allow Frontend service to access Database service | |
allow { | |
http_request.method == "GET" | |
svc_spiffe_id == "spiffe://acme.com/frontend" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package kubernetes.validating.deny_privilege_escalation | |
deny[msg] { | |
some c | |
input_container[c] | |
not c.securityContext.allowPrivilegeEscalation == false | |
msg := sprintf("Container '%v' should not have allowPrivilegeEscalation set to true.", [c.name]) | |
} | |
input_container[container] { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package kubernetes.validating.deny_host_namespaces | |
deny[msg] { | |
input.request.kind.kind == "Pod" | |
input.request.object.spec.hostNetwork == true | |
msg := "Pod cannot be created with hostNetwork enabled." | |
} | |
deny[msg] { | |
input.request.kind.kind == "Pod" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package kubernetes.validating.deny_privileged_mode | |
deny[msg] { | |
some c | |
input_container[c] | |
c.securityContext.privileged | |
msg := sprintf("Container '%v' should not run in privileged mode.", [c.name]) | |
} | |
input_container[container] { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Minikube | |
======== | |
minikube start --memory=16384 --cpus=4 --kubernetes-version=v1.14.2 | |
1) Istio-Envoy-OPA | |
=================== | |
$ GOMAXPROCS=1 go test -bench=BenchmarkHTTP -benchtime=5s | |
goos: darwin | |
goarch: amd64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package kubernetes.admission | |
test_deny_ingress_good { | |
in := { | |
"kind": "AdmissionReview", | |
"apiVersion":"admission.k8s.io/v1beta1", | |
"request":{ | |
"uid": "66c738ea-1b4c-11e9-a7d2-080027f75b4a", | |
"kind": { | |
"group": "extensions", |