apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sdepresources spec: crd: spec: names: kind: K8sDepResources listKind: K8sDepResourcesList plural: k8sdepresources singular: k8sdepresources validation: # Schema for the `parameters` field openAPIV3Schema: properties: allowedOps: type: array items: type: string errMsg: type: string targets: - target: admission.k8s.gatekeeper.sh libs: - | package lib.k8s.helpers allowed_operations = value { value := {"CREATE", "UPDATE"} } review_operation = value { value := input.review.operation } review_metadata_labels = value { value := input.review.object.metadata.labels } review_spec_template_metadata_labels = value { value := input.review.object.spec.template.metadata.labels } deployment_error = value { value := "DEPLOYMENT_INVALID" } deployment_containers = value { value := input.review.object.spec.template.spec.containers } deployment_role = value { value := input.review.object.spec.template.metadata.annotations["iam.amazonaws.com/role"] } # readonly_filesystem = value { # container := deployment_containers[_] # x := container. # } review_id = value { value := sprintf("%v/%v/%v", [ review_namespace, review_name, review_kind ]) } review_name = value { value := input.review.object.metadata.name } else = value { value := "NOT_FOUND" } review_namespace = value { value := input.review.object.metadata.namespace } else = value { value := "NOT_FOUND" } review_kind = value { value := input.review.kind.kind } else = value { value := "NOT_FOUND" } rego: | package k8sdepsecuritycontext import data.lib.k8s.helpers as helpers violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] container = helpers.deployment_containers[_] not container.resources msg := sprintf("%v: Valid resources element not found. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] container = helpers.deployment_containers[_] not container.resources.limits msg := sprintf("%v: Valid resources.limits element not found. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] container = helpers.deployment_containers[_] not container.resources.limits.cpu msg := sprintf("%v: Valid resources.limits.cpu element not found. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] container = helpers.deployment_containers[_] not container.resources.limits.memory msg := sprintf("%v: Valid resources.limits.memory element not found. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] container = helpers.deployment_containers[_] not container.resources.requests msg := sprintf("%v: Valid resources.requests element not found. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] container = helpers.deployment_containers[_] not container.resources.requests.cpu msg := sprintf("%v: Valid resources.requests.cpu element not found. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = input.parameters.allowedOps[_] container = helpers.deployment_containers[_] not container.resources.requests.memory msg := sprintf("%v: Valid resources.requests.memory element not found. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,helpers.review_id]) }