31 lines
951 B
YAML
31 lines
951 B
YAML
|
apiVersion: templates.gatekeeper.sh/v1beta1
|
||
|
kind: ConstraintTemplate
|
||
|
metadata:
|
||
|
name: restrictedpaths
|
||
|
spec:
|
||
|
crd:
|
||
|
spec:
|
||
|
names:
|
||
|
kind: RestrictedPaths
|
||
|
validation:
|
||
|
openAPIV3Schema:
|
||
|
properties:
|
||
|
paths:
|
||
|
type: array
|
||
|
items: string
|
||
|
targets:
|
||
|
- target: admission.k8s.gatekeeper.sh
|
||
|
rego: |
|
||
|
package restrictedPaths
|
||
|
|
||
|
violation[{"msg": msg}] {
|
||
|
# get all the paths for HostPath volumes:
|
||
|
requested := {path | v := input.review.object.spec.volumes[_]
|
||
|
path := v.hostPath.path}
|
||
|
# get all the restricted paths:
|
||
|
restricted := {path | path:= input.parameters.paths[_]}
|
||
|
# if any match then the request is blocked:
|
||
|
blocked := requested & restricted
|
||
|
count(blocked) > 0
|
||
|
msg := sprintf("HostPath '%v' is restricted", [blocked])
|
||
|
}
|