trying-things/metallb-chart/policy/speaker.rego

31 lines
1.2 KiB
Rego
Raw Normal View History

package main
# validate serviceAccountName
deny[msg] {
input.kind == "DaemonSet"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "release-name-metallb-speaker"
msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate METALLB_ML_SECRET_KEY (memberlist)
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH"
msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]"
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}
# validate tolerations include the builtins when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" }
msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule"
}