kind: ConfigMap
apiVersion: v1
metadata:
  name: deployment-registry-allowed
  namespace: opa
  labels:
    app: opa
    owner: jimmy
    openpolicyagent.org/policy: rego
data:
  main: |
    package kubernetes.admission

    import data.lib.k8s.helpers as helpers

    deny[msg] {
      helpers.request_kind = "Deployment"
      helpers.allowed_operations[helpers.request_operation]
      image = helpers.deployment_containers[_].image
      not reg_matches_any(image,valid_deployment_registries_v2)
      msg = sprintf("%q: %q image is not sourced from an authorized registry. Resource ID (ns/name/kind): %q", [helpers.deployment_error,image,helpers.request_id])
    }

    valid_deployment_registries_v2 = {registry |
      allowed = "GOOD_REGISTRY,VERY_GOOD_REGISTRY"
      registries = split(allowed, ",")
      registry = registries[_]
    }

    reg_matches_any(str, patterns) {
      reg_matches(str, patterns[_])
    }

    reg_matches(str, pattern) {
      contains(str, pattern)
    }