forked from open-policy-agent/gatekeeper
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpsp.rego
More file actions
21 lines (18 loc) · 707 Bytes
/
psp.rego
File metadata and controls
21 lines (18 loc) · 707 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
package authorization
import data.k8s.matches
deny[{
"id": "podsecuritypolicies-kube-system",
"resource": {
"kind": kind,
"namespace": namespace,
"name": name,
},
"resolution": {"message": "Your're not allowed to use the privileged PodSecurityPolicies in pods outside of kube-system and istio-system"},
}] {
matches[[kind, namespace, name, resource]]
resource.spec.resourceAttributes.group = "extensions"
resource.spec.resourceAttributes.resource = "podsecuritypolicies"
resource.spec.resourceAttributes.name = "privileged"
not re_match("^(kube-system|istio-system)$", resource.spec.resourceAttributes.namespace)
resource.spec.resourceAttributes.verb = "use"
}