redhat-cop/rego-policies

Only use approved domain names in the Ingress hostnames

garethahealy opened this issue · 3 comments

sth like this?

package kubernetes.admission

deny[msg] {
  input.request.kind.kind == “Route”
  hostname := input.request.object.spec.hostname
  not startswith(hostname, “example.com”)
  msg := sprintf(“hostname not valid BLA BLA BLA %v”, [hostname]) 
}

@jtudelag ; yes, the core bits look correct, i.e.: not startswith.

But, have a look at the example, as the policies wouldn't explicitly use kubernetes.admission - there might be a use-case for that, but not seen one yet.

So your policy updated with the helpers, it would be:

violation[msg] {
  openshift.is_route

  obj := konstraint.object
  not startswith(obj.spec.hostname, “example.com”)

  msg := konstraint.format(sprintf("%s/%s: hostname is not valid", [obj.kind, obj.metadata.name, obj.spec.hostname]))
}