Checks for Ingress on UPDATE

Adds operation support for both CREATE and UPDATE. This allows OPA to prevent updates to an Ingress when it conflicts with another namespace. Only enforcing on CREATE could allow an actor to first apply a valid ingress and then update to a conflicting one. Signed-off-by: David Katz <david.katz@mongodb.com>
tsandall · May 4, 2019 · 0a4744f · 0a4744f
1 parent 76b58c7
commit 0a4744f
Showing 1 changed file with 20 additions and 18 deletions.
diff --git a/docs/content/code/kubernetes-admission-control-validation/ingress-whitelist.rego b/docs/content/code/kubernetes-admission-control-validation/ingress-whitelist.rego
@@ -2,35 +2,37 @@ package kubernetes.admission
 
 import data.kubernetes.namespaces
 
+operations = {"CREATE", "UPDATE"}
+
 deny[msg] {
-    input.request.kind.kind == "Ingress"
-    input.request.operation == "CREATE"
-    host := input.request.object.spec.rules[_].host
-    not fqdn_matches_any(host, valid_ingress_hosts)
-    msg := sprintf("invalid ingress host %q", [host])
+	input.request.kind.kind == "Ingress"
+	operations[input.request.operation]
+	host := input.request.object.spec.rules[_].host
+	not fqdn_matches_any(host, valid_ingress_hosts)
+	msg := sprintf("invalid ingress host %q", [host])
 }
 
 valid_ingress_hosts = {host |
-    whitelist := namespaces[input.request.namespace].metadata.annotations["ingress-whitelist"]
-    hosts := split(whitelist, ",")
-    host := hosts[_]
+	whitelist := namespaces[input.request.namespace].metadata.annotations["ingress-whitelist"]
+	hosts := split(whitelist, ",")
+	host := hosts[_]
 }
 
 fqdn_matches_any(str, patterns) {
-    fqdn_matches(str, patterns[_])
+	fqdn_matches(str, patterns[_])
 }
 
 fqdn_matches(str, pattern) {
-    pattern_parts := split(pattern, ".")
-    pattern_parts[0] == "*"
-    str_parts := split(str, ".")
-    n_pattern_parts := count(pattern_parts)
-    n_str_parts := count(str_parts)
-    suffix := trim(pattern, "*.")
-    endswith(str, suffix)
+	pattern_parts := split(pattern, ".")
+	pattern_parts[0] == "*"
+	str_parts := split(str, ".")
+	n_pattern_parts := count(pattern_parts)
+	n_str_parts := count(str_parts)
+	suffix := trim(pattern, "*.")
+	endswith(str, suffix)
 }
 
 fqdn_matches(str, pattern) {
-    not contains(pattern, "*")
-    str := pattern
+	not contains(pattern, "*")
+	str := pattern
 }