31 lines
951 B
YAML

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: restrictedpaths
spec:
crd:
spec:
names:
kind: RestrictedPaths
validation:
openAPIV3Schema:
properties:
paths:
type: array
items: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package restrictedPaths
violation[{"msg": msg}] {
# get all the paths for HostPath volumes:
requested := {path | v := input.review.object.spec.volumes[_]
path := v.hostPath.path}
# get all the restricted paths:
restricted := {path | path:= input.parameters.paths[_]}
# if any match then the request is blocked:
blocked := requested & restricted
count(blocked) > 0
msg := sprintf("HostPath '%v' is restricted", [blocked])
}