rego-policies icon indicating copy to clipboard operation
rego-policies copied to clipboard

Published 20 hours ago verified publisher icon redhat-cop

Only use approved domain names in the Ingress hostnames

Open garethahealy opened this issue 4 years ago • 3 comments

Parent: https://github.com/redhat-cop/rego-policies/issues/23 Suggestion: https://learnk8s.io/production-best-practices#application-development Solved By: TODO

garethahealy avatar Jun 25 '20 13:06 garethahealy

I'd expect the policy to be similar to:

  • https://github.com/redhat-cop/rego-policies/blob/1.0.0/policy/ocp/bestpractices/container-image-latest/src.rego

garethahealy avatar Jun 25 '20 19:06 garethahealy

sth like this?

package kubernetes.admission

deny[msg] {
  input.request.kind.kind == “Route”
  hostname := input.request.object.spec.hostname
  not startswith(hostname, “example.com”)
  msg := sprintf(“hostname not valid BLA BLA BLA %v”, [hostname]) 
}

jtudelag avatar Jul 21 '20 10:07 jtudelag

@jtudelag ; yes, the core bits look correct, i.e.: not startswith.

But, have a look at the example, as the policies wouldn't explicitly use kubernetes.admission - there might be a use-case for that, but not seen one yet.

  • https://github.com/redhat-cop/rego-policies/blob/1.0.0/policy/ocp/bestpractices/container-image-latest/src.rego

So your policy updated with the helpers, it would be:

violation[msg] {
  openshift.is_route

  obj := konstraint.object
  not startswith(obj.spec.hostname, “example.com”)

  msg := konstraint.format(sprintf("%s/%s: hostname is not valid", [obj.kind, obj.metadata.name, obj.spec.hostname]))
}

garethahealy avatar Jul 21 '20 10:07 garethahealy