Skip to content

Instantly share code, notes, and snippets.

@sbueringer

sbueringer/blog-opa-example2.rego.rb

Last active January 11, 2019 18:25
Show Gist options
  • Save sbueringer/684df91015faadf78a34c6650ec0e850 to your computer and use it in GitHub Desktop.
Save sbueringer/684df91015faadf78a34c6650ec0e850 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
blog-opa-example2.rego.rb
package authorization
import data.k8s.matches
deny[{
"id": "storageclasses",
"resource": {
"kind": kind,
"namespace": namespace,
"name": name,
},
"resolution": {"message": "Your're not allowed to create/update/delete the StorageClass 'ceph'"},
}] {
matches[[kind, namespace, name, resource]]
resource.spec.resourceAttributes.resource = "storageclasses"
resource.spec.resourceAttributes.name = "ceph"
re_match("^(create|update|delete|deletecollections)$", resource.spec.resourceAttributes.verb)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment