forked from RamyasreeChakka/RegoPolicy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathingress-conflict.rego
29 lines (26 loc) · 1.24 KB
/
ingress-conflict.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package admission
import data.k8s.matches
##############################################################################
#
# Policy : Ingress hostnames must be unique across Namespaces.
#
# This policy shows how you can express a pair-wise search. In this case, there
# is a violation if any two ingresses in different namespaces. Note, you can
# query OPA to determine whether a single Ingress violates the policy (in which
# case the cost is linear with the # of Ingresses) or you can query for the set
# of all Ingresses th violate the policy (in which case the cost is (# of
# Ingresses)^2.)
#
##############################################################################
deny[{
"id": "{{AzurePolicyID}}",
"resource": {"kind": "ingresses", "namespace": namespace, "name": name},
"resolution": {"message": msg},
}] {
matches[["ingresses", namespace, name, matched_ingress]]
matches[["ingresses", other_ns, other_name, other_ingress]]
namespace != other_ns
other_ingress.spec.rules[_].host == matched_ingress.spec.rules[_].host
# To work with azure-dataplane-policy-k8s, msg needs to be in the format of "policyid, kind, name, message"
msg := sprintf("{{AzurePolicyID}}, ingresses, %v, ingress host conflicts with an existing ingress", [name])
}