OPA Gatekeeper ExternalIP Constraint
# Copyright 2020 The Kubernetes Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: templates.gatekeeper.sh/v1beta1 | |
kind: ConstraintTemplate | |
metadata: | |
name: k8sexternalips | |
spec: | |
crd: | |
spec: | |
names: | |
kind: K8sExternalIPs | |
validation: | |
# Schema for the `parameters` field | |
openAPIV3Schema: | |
properties: | |
allowedIPs: | |
type: array | |
items: | |
type: string | |
targets: | |
- target: admission.k8s.gatekeeper.sh | |
rego: | | |
package externalips | |
violation[{"msg": msg}] { | |
input.review.kind.kind == "Service" | |
input.review.kind.group == "" | |
allowedIPs := {ip | ip := input.parameters.allowedIPs[_]} | |
externalIPs := {ip | ip := input.review.object.spec.externalIPs[_]} | |
forbiddenIPs := externalIPs - allowedIPs | |
count(forbiddenIPs) > 0 | |
msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs]) | |
} |
apiVersion: constraints.gatekeeper.sh/v1beta1 | |
kind: K8sExternalIPs | |
metadata: | |
name: external-ips | |
spec: | |
match: | |
kinds: | |
- apiGroups: [""] | |
kinds: ["Service"] | |
parameters: | |
allowedIPs: | |
- "203.0.113.0" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment