tallclair/external-ip-template.yaml Secret

## external-ip-template.yaml
# Copyright 2020 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sexternalips
spec:
  crd:
    spec:
      names:
        kind: K8sExternalIPs
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          properties:
            allowedIPs:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package externalips

        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.kind.group == ""

          allowedIPs := {ip | ip := input.parameters.allowedIPs[_]}
          externalIPs := {ip | ip := input.review.object.spec.externalIPs[_]}
          forbiddenIPs := externalIPs - allowedIPs
          count(forbiddenIPs) > 0

          msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs])
        }

## sample-constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
  parameters:
    allowedIPs:
      - "203.0.113.0"
	# Copyright 2020 The Kubernetes Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: templates.gatekeeper.sh/v1beta1
	kind: ConstraintTemplate
	metadata:
	name: k8sexternalips
	spec:
	crd:
	spec:
	names:
	kind: K8sExternalIPs
	validation:
	# Schema for the `parameters` field
	openAPIV3Schema:
	properties:
	allowedIPs:
	type: array
	items:
	type: string
	targets:
	- target: admission.k8s.gatekeeper.sh
	rego: \|
	package externalips

	violation[{"msg": msg}] {
	input.review.kind.kind == "Service"
	input.review.kind.group == ""

	allowedIPs := {ip \| ip := input.parameters.allowedIPs[_]}
	externalIPs := {ip \| ip := input.review.object.spec.externalIPs[_]}
	forbiddenIPs := externalIPs - allowedIPs
	count(forbiddenIPs) > 0

	msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs])
	}
	apiVersion: constraints.gatekeeper.sh/v1beta1
	kind: K8sExternalIPs
	metadata:
	name: external-ips
	spec:
	match:
	kinds:
	- apiGroups: [""]
	kinds: ["Service"]
	parameters:
	allowedIPs:
	- "203.0.113.0"