developer-guy · November 26, 2020 08:44
diff --git a/opa-gatekeeper-allowed-repos.yaml b/opa-gatekeeper-allowed-repos.yaml
 apiVersion: templates.gatekeeper.sh/v1beta1
 kind: ConstraintTemplate
 metadata:
  name: k8sallowedrepos
 spec:
  crd:
    spec:
      names:
        kind: K8sAllowedRepos
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          properties:
            repos:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sallowedrepos
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
          not any(satisfied)
          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
        }
        violation[{"msg": msg}] {
          container := input.review.object.spec.initContainers[_]
          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
          not any(satisfied)
          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
        }
 ---
 apiVersion: constraints.gatekeeper.sh/v1beta1
 kind: K8sAllowedRepos
 metadata:
  name: prod-repo-is-internalregst
 spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "production"
  parameters:
    repos:
      - "private.registry.com"
	apiVersion: templates.gatekeeper.sh/v1beta1
	kind: ConstraintTemplate
	metadata:
	name: k8sallowedrepos
	spec:
	crd:
	spec:
	names:
	kind: K8sAllowedRepos
	validation:
	# Schema for the `parameters` field
	openAPIV3Schema:
	properties:
	repos:
	type: array
	items:
	type: string
	targets:
	- target: admission.k8s.gatekeeper.sh
	rego: \|
	package k8sallowedrepos
	violation[{"msg": msg}] {
	container := input.review.object.spec.containers[_]
	satisfied := [good \| repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
	not any(satisfied)
	msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
	}
	violation[{"msg": msg}] {
	container := input.review.object.spec.initContainers[_]
	satisfied := [good \| repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
	not any(satisfied)
	msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
	}
	---
	apiVersion: constraints.gatekeeper.sh/v1beta1
	kind: K8sAllowedRepos
	metadata:
	name: prod-repo-is-internalregst
	spec:
	match:
	kinds:
	- apiGroups: [""]
	kinds: ["Pod"]
	namespaces:
	- "production"
	parameters:
	repos:
	- "private.registry.com"