28 lines
720 B
Rego
28 lines
720 B
Rego
package main
|
|
|
|
# Validate PSP exists in ClusterRole :controller
|
|
deny[msg] {
|
|
input.kind == "ClusterRole"
|
|
input.metadata.name == "metallb:controller"
|
|
input.rules[3] == {
|
|
"apiGroups": ["policy"],
|
|
"resources": ["podsecuritypolicies"],
|
|
"resourceNames": ["metallb-controller"],
|
|
"verbs": ["use"]
|
|
}
|
|
msg = "ClusterRole metallb:controller does not include PSP rule"
|
|
}
|
|
|
|
# Validate PSP exists in ClusterRole :speaker
|
|
deny[msg] {
|
|
input.kind == "ClusterRole"
|
|
input.metadata.name == "metallb:speaker"
|
|
input.rules[3] == {
|
|
"apiGroups": ["policy"],
|
|
"resources": ["podsecuritypolicies"],
|
|
"resourceNames": ["metallb-controller"],
|
|
"verbs": ["use"]
|
|
}
|
|
msg = "ClusterRole metallb:speaker does not include PSP rule"
|
|
}
|