Page MenuHomePhabricator
Files F36875614

template-constraint.yaml
nfraison
Actions

Authored By
nfraison
Feb 28 2023, 8:34 AM
Size
2 KB
Referenced Files
None
Subscribers
None

template-constraint.yaml
View Options

---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: secretnames
spec:
crd:
spec:
names:
kind: secretNames
validation:
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package secretname
violation[{"msg": msg}] {
input.review.object.metadata.name != sprintf("hdfs-token-%v", [input.review.userInfo.username])
msg := sprintf("Bad secret name: %v:%v", [input.review.userInfo.username, input.review.object.metadata.name])
}
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: secretmountnames
spec:
crd:
spec:
names:
kind: secretMountNames
validation:
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package secretmountname
import future.keywords.every
import future.keywords.if
import future.keywords.contains
violation[{"msg": msg}] {
executorsecrets := input.review.object.spec.executor.secrets
some secret in executorsecrets
not endswith(secret.name, input.review.userInfo.username)
msg := sprintf("Bad secret name to be mounted: %v", [executorsecrets])
}
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: serviceaccountexecutors
spec:
crd:
spec:
names:
kind: serviceAccountExecutors
validation:
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package serviceaccountexecutor
violation[{"msg": msg}] {
not input.review.object.spec.executor.serviceAccount
msg := "Missing svc name"
}
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: goodserviceaccountexecutors
spec:
crd:
spec:
names:
kind: goodServiceAccountExecutors
validation:
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package goodserviceaccountexecutors
violation[{"msg": msg}] {
input.review.object.spec.executor.serviceAccount != sprintf("spark-run-%v", [input.review.userInfo.username])
msg := sprintf("Bad svc name: %v:%v", [input.review.object.spec.driver.serviceAccount, input.review.object.metadata.name])
}

File Metadata

Mime Type
text/plain
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10747044
Default Alt Text
template-constraint.yaml (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits