apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredtolerationpod
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredTolerationPod
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          properties:
            ops:
              type: array
              items:
                type: string
            tolerations:
              type: array
              items:
                type: object
                properties:
                  key:
                    type: string
                  value:
                    type: string
                  effect:
                    type: string
                  operator:
                    type: string
            errMsg:
              type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      libs: 
        - |
          package lib.k8s.helpers

          allowed_operations = value {
            value := {"CREATE", "UPDATE"}
          }

          review_operation = value {
            value := input.review.operation
          }

          review_metadata_labels = value {
            value := input.review.object.metadata.labels
          }

          review_spec_template_metadata_labels = value {
            value := input.review.object.spec.template.metadata.labels
          }

          deployment_error = value {
            value := "DEPLOYMENT_INVALID"
          }

          deployment_containers = value {
            value := input.review.object.spec.template.spec.containers
          }

          deployment_role = value {
            value := input.review.object.spec.template.metadata.annotations["iam.amazonaws.com/role"]
          }

          review_id = value {
            value := sprintf("%v/%v/%v", [
              review_namespace,
              review_name,
              review_kind
            ])
          }

          review_name = value {
            value := input.review.object.metadata.name
          }

          else = value {
            value := "NOT_FOUND"
          }

          review_namespace = value {
            value := input.review.object.metadata.namespace
          }

          else = value {
            value := "NOT_FOUND"
          }

          review_kind = value {
            value := input.review.kind.kind
          }

          else = value {
            value := "NOT_FOUND"
          }

          review_tolerations = value {
            value := input.review.object.spec.template.spec.tolerations
          }
      rego: |
        package k8srequiredtolerations

        import data.lib.k8s.helpers as helpers

        violation[{"msg": msg, "details": {"missing":missing}}] {
          input.review.operation == input.parameters.ops[_]
          provided := {x | x := input.review.object.spec.tolerations[_]}
          required := {x | x := input.parameters.tolerations[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("%v: Resource missing correct toleration(s). Provided toleration(s): %v, Required toleration(s): %v. Resource ID (ns/name/kind): %v", [input.parameters.errMsg,provided,required,helpers.review_id])
        }