sbueringer/blog-opa-example2-test.rego.rb

## blog-opa-example2-test.rego.rb
package authorization

test_deny_update_storageclass_ceph {
	deny[{"id": id, "resource": {"kind": "storageclasses", "namespace": "", "name": "ceph"}, "resolution": resolution}] with data.kubernetes.storageclasses[""].ceph as {
		"kind": "SubjectAccessReview",
		"apiVersion": "authorization.k8s.io/v1beta1",
		"spec": {
			"resourceAttributes": {
				"verb": "update",
				"version": "v1",
				"resource": "storageclasses",
				"name": "ceph",
			},
			"user": "alice",
			"group": ["user"],
		},
	}
}
	package authorization

	test_deny_update_storageclass_ceph {
	deny[{"id": id, "resource": {"kind": "storageclasses", "namespace": "", "name": "ceph"}, "resolution": resolution}] with data.kubernetes.storageclasses[""].ceph as {
	"kind": "SubjectAccessReview",
	"apiVersion": "authorization.k8s.io/v1beta1",
	"spec": {
	"resourceAttributes": {
	"verb": "update",
	"version": "v1",
	"resource": "storageclasses",
	"name": "ceph",
	},
	"user": "alice",
	"group": ["user"],
	},
	}
	}