apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sdepregistry spec: crd: spec: names: kind: K8sDepRegistry listKind: K8sDepRegistryList plural: k8sdepregistry singular: k8sdepregistry validation: # Schema for the `parameters` field openAPIV3Schema: properties: allowedOps: type: array items: type: string allowedRegistries: type: array items: type: string errMsg: type: string targets: - target: admission.k8s.gatekeeper.sh libs: - | package lib.k8s.helpers allowed_operations = value { value := {"CREATE", "UPDATE"} } review_operation = value { value := input.review.operation } review_metadata_labels = value { value := input.review.object.metadata.labels } review_spec_template_metadata_labels = value { value := input.review.object.spec.template.metadata.labels } deployment_error = value { value := "DEPLOYMENT_INVALID" } deployment_containers = value { value := input.review.object.spec.template.spec.containers } deployment_role = value { value := input.review.object.spec.template.metadata.annotations["iam.amazonaws.com/role"] } review_id = value { value := sprintf("%v/%v/%v", [ review_namespace, review_name, review_kind ]) } review_name = value { value := input.review.object.metadata.name } else = value { value := "NOT_FOUND" } review_namespace = value { value := input.review.object.metadata.namespace } else = value { value := "NOT_FOUND" } review_kind = value { value := input.review.kind.kind } else = value { value := "NOT_FOUND" } rego: | package k8sdepregistry import data.lib.k8s.helpers as helpers violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] image = helpers.deployment_containers[_].image not reg_matches_any(image,input.parameters.allowedRegistries) msg = sprintf("%v: %v image is not sourced from an authorized registry. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,image,helpers.review_id]) } reg_matches_any(str, patterns) { reg_matches(str, patterns[_]) } reg_matches(str, pattern) { contains(str, pattern) }