kind: ConfigMap
apiVersion: v1
metadata:
  name: deployment-security-context
  namespace: opa
  labels:
    app: opa
    owner: jimmy
    openpolicyagent.org/policy: rego
data:
  main: |
    package kubernetes.admission

    import data.lib.k8s.helpers as helpers

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      container = helpers.deployment_containers[_]
      not container.securityContext
      msg = sprintf("%q: Valid securityContext element not found in %q container.  Resource ID (ns/name/kind): %q.", [helpers.deployment_error,container.name,helpers.request_id])
    }

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      container = helpers.deployment_containers[_]
      container.securityContext.privileged
      msg = sprintf("%q: The securityContext element for %q container is privileged. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
    }

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      container = helpers.deployment_containers[_]
      container.securityContext.allowPrivilegeEscalation
      msg = sprintf("%q: The securityContext element for container %q allows privilege escalation.Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
    }

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      container = helpers.deployment_containers[_]
      not container.securityContext.runAsUser > 0
      msg = sprintf("%q: The securityContext element for container %q is set to run as UID 0. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
    }

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      container = helpers.deployment_containers[_]
      not container.securityContext.readOnlyRootFilesystem
      msg = sprintf("%q: The securityContext element for container %q does not have a readonly root filesystem element.Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
    }

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      container = helpers.deployment_containers[_]
      container.securityContext.readOnlyRootFilesystem == false
      msg = sprintf("%q: The securityContext element for container %q does not have a readonly root filesystem.Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
    }