forked from open-policy-agent/gatekeeper
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwebhooks.rego
More file actions
22 lines (18 loc) · 755 Bytes
/
webhooks.rego
File metadata and controls
22 lines (18 loc) · 755 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
package authorization
import data.k8s.matches
deny[{
"id": "webhookconfigurations-system",
"resource": {
"kind": kind,
"namespace": namespace,
"name": name,
},
"resolution": {"message": "You're not allowed to create/update/delete ValidatingWebhookConfigurations & MutatingWebhookConfigurations starting with 'system'"},
}] {
matches[[kind, namespace, name, resource]]
not user_system_control_plane(resource.spec.user)
resource.spec.resourceAttributes.group = "admissionregistration.k8s.io"
re_match("^(validatingwebhookconfigurations|mutatingwebhookconfigurations)$", resource.spec.resourceAttributes.resource)
is_system(resource.spec.resourceAttributes.name)
match_cud(resource.spec.resourceAttributes.verb)
}