apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8spodhostnetworkingports
  annotations:
    description: Controls usage of host networking and ports.
spec:
  crd:
    spec:
      names:
        kind: K8sPodHostNetworkingPorts
      validation:
        openAPIV3Schema:
          type: object
          properties:
            hostNetwork:
              type: boolean
            min:
              type: integer
            max:
              type: integer
            ops:
              type: array
              items:
                type: string
            errMsg:
              type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      libs: 
        - |
          package lib.k8s.helpers

          constraint_ops = value {
            value := input.parameters.ops
          }

          review_operation = value {
            value := input.review.operation
          }

          review_metadata_labels = value {
            value := input.review.object.metadata.labels
          }

          review_spec_template_metadata_labels = value {
            value := input.review.object.spec.template.metadata.labels
          }

          deployment_containers = value {
            value := input.review.object.spec.template.spec.containers
          }

          deployment_init_containers = value {
            value := input.review.object.spec.template.spec.initContainers
          }

          deployment_pod = value {
            value := input.review.object.spec.template.spec
          }

          review_id = value {
            value := sprintf("%v/%v/%v", [
              review_kind,
              review_namespace,
              review_name
            ])
          }

          review_name = value {
            value := input.review.object.metadata.name
          }

          else = value {
            value := "NOT_FOUND"
          }

          review_namespace = value {
            value := input.review.object.metadata.namespace
          }

          else = value {
            value := "NOT_FOUND"
          }

          review_kind = value {
            value := input.review.kind.kind
          }

          else = value {
            value := "NOT_FOUND"
          }
      rego: |
        package k8spodhostnetworkingports

        import data.lib.k8s.helpers as helpers

        violation[{"msg": msg, "details": {}}] {
          helpers.review_operation = helpers.constraint_ops[_]
          share_hostnetwork(input.review.object)
          msg := sprintf("%v: The specified hostNetwork and hostPort are not allowed in pod spec. Resource ID (kind/ns/name): %v.", [input.parameters.errMsg,helpers.review_id])
        }

        share_hostnetwork(o) {
          not input.parameters.hostNetwork
          o.spec.hostNetwork
        }

        share_hostnetwork(o) {
          hostPort := input_containers[_].ports[_].hostPort
          hostPort < input.parameters.min
        }

        share_hostnetwork(o) {
          hostPort := input_containers[_].ports[_].hostPort
          hostPort > input.parameters.max
        }

        input_containers[c] {
          c := input.review.object.spec.containers[_]
        }

        input_containers[c] {
          c := input.review.object.spec.initContainers[_]
        }