CEL: require default-allow policies

disallow-default-deny.yaml

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "only-allow-ccnp-default-allow"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups:   ["cilium.io"]
        apiVersions: ["v2"]
        resources:   ["ciliumclusterwidenetworkpolicies"]
        operations:  ["CREATE", "UPDATE"]
  validations:
    - expression: >-
        !( has(object.spec.ingress) || has(object.spec.ingressDeny) ) ||
        ( has(object.spec.enableDefaultDeny.ingress) && object.spec.enableDefaultDeny.ingress == false)
      message: "CCNPs must explicitly disallow ingress default-deny"
    - expression: >-
        !( has(object.spec.egress) || has(object.spec.egressDeny) ) ||
        ( has(object.spec.enableDefaultDeny.egress) && object.spec.enableDefaultDeny.egress == false)
      message: "CCNPs must explicitly disallow egress default-deny"

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "only-allow-ccnp-default-allow"
spec:
  policyName: "only-allow-ccnp-default-allow"
  validationActions: [Deny]
  matchResources:
    resourceRules:
      - apiGroups:   ["cilium.io"]
        apiVersions: ["v2"]
        resources:   ["ciliumclusterwidenetworkpolicies"]
        operations:  ["CREATE", "UPDATE"]