-
Notifications
You must be signed in to change notification settings - Fork 7
/
container-image-whitelist.rego
26 lines (24 loc) · 1.11 KB
/
container-image-whitelist.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
package admission
import data.k8s.matches
###############################################################################
#
# Policy : Container image name check if it matches of the whitelisted patterns
# e.g. should be from a organization registry.
#
###############################################################################
deny[{
"id": "{{AzurePolicyID}}", # identifies type of violation
"resource": {
"kind": "pods", # identifies kind of resource
"namespace": namespace, # identifies namespace of resource
"name": name # identifies name of resource
},
"resolution": {"message": msg}, # provides human-readable message to display
}] {
matches[["pods", namespace, name, matched_pod]]
container = matched_pod.spec.containers[_]
namespace == "qa"
not re_match("{{policyParameters.allowedContainerImagesRegex}}", container.image)
# To work with azure-dataplane-policy-k8s, msg needs to be in the format of "policyid, kind, name, message"
msg := sprintf("{{AzurePolicyID}}, pods, %v, invalid container registry image %q", [name, container.image])
}