jmassardo
/ ExcludeNamespace.rego
Created
February 19, 2021 14:20
Simple Rego rule to exclude certain k8s namespaces
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # List of namespaces to exclude | |
| excludedNamespaces = {"good", "ok"} | |
| imageSafety[decision] { | |
| # This rule compares the namespace from the admission controller | |
| # to the list of namespaces above | |
| not excludedNamespaces[input.request.namespace] | |
| data.library.v1.kubernetes.admission.workload.v1.block_latest_image_tag[message] | |
| decision := { |
jmassardo
/ DASRuleCustomName.rego
Created
February 19, 2021 14:21
Example of how to give a rule a custom name so it can be called individually from a unit test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # List of namespaces to exclude | |
| excludedNamespaces = {"good", "ok"} | |
| imageSafety[decision] { | |
| # This rule compares the namespace from the admission controller | |
| # to the list of namespaces above | |
| not excludedNamespaces[input.request.namespace] | |
| data.library.v1.kubernetes.admission.workload.v1.block_latest_image_tag[message] | |
| decision := { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package policy["com.styra.kubernetes.validating"].test.test | |
| # import the rules from this system | |
| import data.policy["com.styra.kubernetes.validating"].rules.rules | |
| # Name the test something specifc | |
| test_excludedNamespaceGood { | |
| # `in` represents the JSON input that comes from the k8s admission controller | |
| # it doesn't have to be a full deployment, it only needs to represent the data point(s) being tested | |
| in := { |
jmassardo
/ TerraformRequiredTags.rego
Created
February 19, 2021 17:07
Ensure that Terraform resources have required tags
jmassardo
/ ArmTemplateImageSafety.rego
Created
February 19, 2021 17:11
Resources in ARM Templates should not use the `latest` image version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| deny[msg] { | |
| input.resources[_].properties.storageProfile.imageReference.version == "latest" | |
| msg := "Resources should not use the `latest` image version" | |
| } |
jmassardo
/ TerraformAzureInsecureNSGPorts.rego
Created
February 19, 2021 20:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # List of insecure ports | |
| disallowedPorts = {"22", "80", "3389"} | |
| deny[msg] { | |
| # loop through the resources and find all the network security groups. | |
| # Get all their security rules and destination ports | |
| resourcePorts := {p | c = input.resource_changes[_]; | |
| p = c.change.after.security_rule[_].destination_port_range} | |
| # Find any resource ports that match a port on the disallowed list |
jmassardo
/ rego_testing1.rego
Created
March 19, 2021 18:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #example.rego | |
| package authz | |
| allow { | |
| input.path == ["users"] | |
| input.method == "POST" | |
| } |
jmassardo
/ rego_testing2.rego
Created
March 19, 2021 18:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #example_test.rego | |
| test_post_allowed { | |
| allow with input as {"path": ["users"], "method": "POST"} | |
| } |
jmassardo
/ rego_testing3.rego
Created
March 19, 2021 18:14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| test_post_allowed { | |
| in := {"path": ["users"], "method": "POST"} | |
| allow with input as in | |
| } |
jmassardo
/ rego_testing4.rego
Created
March 19, 2021 18:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| enforce[decision] { | |
| not excludedNamespaces[input.request.namespace] | |
| data.library.v1.kubernetes.admission.workload.v1.block_privileged_mode[message] | |
| decision := { | |
| "allowed": false, | |
| "message": message | |
| } | |
| } |