kind: ConfigMap
apiVersion: v1
metadata:
  name: clusterip-svc-ext-ips
  namespace: opa
  labels:
    app: opa
    owner: jimmy
    openpolicyagent.org/policy: rego
data:
  main: |
    package kubernetes.admission

    import data.lib.k8s.helpers as helpers   

    deny[msg] {
      helpers.request_kind = "Service"
      helpers.allowed_operations[helpers.request_operation]
      helpers.request_object.spec.type = "ClusterIP"
      helpers.request_object.spec.externalIPs
      msg = sprintf("%q: ClusterIP service cannot specify externalIPs element. Resource ID (ns/name/kind): %q", [helpers.service_error,helpers.request_id])
    }