kind: ConfigMap
apiVersion: v1
metadata:
  name: clusterip-svc-ext-ips-allowed
  namespace: opa
  labels:
    app: opa
    owner: jimmy
    openpolicyagent.org/policy: rego
data:
  main: |
    package kubernetes.admission

    import data.lib.k8s.helpers as helpers   

    deny[msg] {
      helpers.request_kind = "Service"
      helpers.allowed_operations[helpers.request_operation]
      helpers.request_object.spec.type = "ClusterIP"
      aips := helpers.allowed_ext_ips
      ips := helpers.request_object.spec.externalIPs
      helpers.ips_allowed(aips,ips)
      msg = sprintf("%q: ClusterIP service external IPs are not found in the Allowed IPs list. Allowed IPs: %q, Submitted IPs: %q. Resource ID (ns/name/kind): %q", [helpers.service_error,aips,ips,helpers.request_id])
    }