nbelouin/Factory
SHA256
1
0
Fork 0
forked from suse-edge/Factory
Code Pull Requests Activity

unpack obscpio files

Browse Source
This commit is contained in:
Denislav Prodanov
2024-10-22 10:51:51 +03:00
parent beab68c274
commit 21086b77bb
182 changed files with 15763 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
metallb-chart/policy/controller.rego Normal file
View File

@@ -0,0 +1,16 @@
package main
# validate serviceAccountName
deny[msg] {
input.kind == "Deployment"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "release-name-metallb-controller"
msg = sprintf("controller serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "Deployment"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}

27
metallb-chart/policy/rbac.rego Normal file
View File

@@ -0,0 +1,27 @@
package main
# Validate PSP exists in ClusterRole :controller
deny[msg] {
input.kind == "ClusterRole"
input.metadata.name == "metallb:controller"
input.rules[3] == {
"apiGroups": ["policy"],
"resources": ["podsecuritypolicies"],
"resourceNames": ["metallb-controller"],
"verbs": ["use"]
}
msg = "ClusterRole metallb:controller does not include PSP rule"
}
# Validate PSP exists in ClusterRole :speaker
deny[msg] {
input.kind == "ClusterRole"
input.metadata.name == "metallb:speaker"
input.rules[3] == {
"apiGroups": ["policy"],
"resources": ["podsecuritypolicies"],
"resourceNames": ["metallb-controller"],
"verbs": ["use"]
}
msg = "ClusterRole metallb:speaker does not include PSP rule"
}

30
metallb-chart/policy/speaker.rego Normal file
View File

@@ -0,0 +1,30 @@
package main
# validate serviceAccountName
deny[msg] {
input.kind == "DaemonSet"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "release-name-metallb-speaker"
msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate METALLB_ML_SECRET_KEY (memberlist)
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH"
msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]"
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}
# validate tolerations include the builtins when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" }
msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule"
}