Skip to content

Commit

Permalink
Added policy for scc's (#14)
Browse files Browse the repository at this point in the history
  • Loading branch information
garethahealy authored Jun 3, 2020
1 parent c8df31c commit 48084a3
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 1 deletion.
6 changes: 6 additions & 0 deletions _test/ocp-43-deprecated-apiversions/template.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ kind: Template
metadata:
name: Foo
objects:
# Project Scoped
- apiVersion: v1
kind: ProjectRequest
metadata:
Expand All @@ -31,5 +32,10 @@ objects:
name: Bar
- apiVersion: v1
kind: Route
metadata:
name: Bar
# Cluster Scoped
- apiVersion: v1
kind: SecurityContextConstraints
metadata:
name: Bar
3 changes: 2 additions & 1 deletion _test/tests.bats
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,6 @@
[ "${lines[5]}" = "not ok 5 - _test/ocp-43-deprecated-apiversions/template.yml - DeploymentConfig/Bar: API v1 for DeploymentConfig is no longer served by default, use apps.openshift.io/v1 instead." ]
[ "${lines[6]}" = "not ok 6 - _test/ocp-43-deprecated-apiversions/template.yml - RoleBinding/Bar: API v1 for RoleBinding is no longer served by default, use rbac.authorization.k8s.io/v1 instead." ]
[ "${lines[7]}" = "not ok 7 - _test/ocp-43-deprecated-apiversions/template.yml - Route/Bar: API v1 for Route is no longer served by default, use route.openshift.io/v1 instead." ]
[ "${lines[8]}" = "# Successes" ]
[ "${lines[8]}" = "not ok 8 - _test/ocp-43-deprecated-apiversions/template.yml - SecurityContextConstraints/Bar: API v1 for SecurityContextConstraints is no longer served by default, use security.openshift.io/v1 instead." ]
[ "${lines[9]}" = "# Successes" ]
}
6 changes: 6 additions & 0 deletions policy/ocp-43-deprecated-apiversions.rego
Original file line number Diff line number Diff line change
Expand Up @@ -72,4 +72,10 @@ _deny = msg {
input.apiVersion == "v1"
input.kind == "Route"
msg := sprintf("%s/%s: API v1 for Route is no longer served by default, use route.openshift.io/v1 instead.", [input.kind, input.metadata.name])
}

_deny = msg {
input.apiVersion == "v1"
input.kind == "SecurityContextConstraints"
msg := sprintf("%s/%s: API v1 for SecurityContextConstraints is no longer served by default, use security.openshift.io/v1 instead.", [input.kind, input.metadata.name])
}

0 comments on commit 48084a3

Please sign in to comment.