Factory/metallb-chart/policy/rbac.rego

package main

# Validate PSP exists in ClusterRole :controller
deny[msg] {
  input.kind == "ClusterRole"
  input.metadata.name == "metallb:controller"
  input.rules[3] == {
	"apiGroups": ["policy"],
	"resources": ["podsecuritypolicies"],
	"resourceNames": ["metallb-controller"],
	"verbs": ["use"]
  }
  msg = "ClusterRole metallb:controller does not include PSP rule"
}

# Validate PSP exists in ClusterRole :speaker
deny[msg] {
  input.kind == "ClusterRole"
  input.metadata.name == "metallb:speaker"
  input.rules[3] == {
	"apiGroups": ["policy"],
	"resources": ["podsecuritypolicies"],
	"resourceNames": ["metallb-controller"],
	"verbs": ["use"]
  }
  msg = "ClusterRole metallb:speaker does not include PSP rule"
}
unpack obscpio files 2024-10-22 09:51:51 +02:00			`package main`

			`# Validate PSP exists in ClusterRole :controller`
			`deny[msg] {`
			`input.kind == "ClusterRole"`
			`input.metadata.name == "metallb:controller"`
			`input.rules[3] == {`
			`"apiGroups": ["policy"],`
			`"resources": ["podsecuritypolicies"],`
			`"resourceNames": ["metallb-controller"],`
			`"verbs": ["use"]`
			`}`
			`msg = "ClusterRole metallb:controller does not include PSP rule"`
			`}`

			`# Validate PSP exists in ClusterRole :speaker`
			`deny[msg] {`
			`input.kind == "ClusterRole"`
			`input.metadata.name == "metallb:speaker"`
			`input.rules[3] == {`
			`"apiGroups": ["policy"],`
			`"resources": ["podsecuritypolicies"],`
			`"resourceNames": ["metallb-controller"],`
			`"verbs": ["use"]`
			`}`
			`msg = "ClusterRole metallb:speaker does not include PSP rule"`
			`}`