Open Policy Agent
.Rego file assistance to deny loadbalancer except with annotation #154
Replies: 2 comments 2 replies
-
|
I'd probably write two rules for this - one to check that the annotation is present at all, and another one to check for the value of that specific annotation. Something like this might do: package kubernetes.admission
import data.kubernetes.namespaces
lb_scheme := "service.beta.kubernetes.io/aws-load-balancer-scheme"
deny[msg] {
is_lb_create
missing_lb_scheme_annotation
msg := sprintf("Service '%v' missing required annotation '%v'", [input.request.object.metadata.name, lb_scheme])
}
deny[msg] {
is_lb_create
not missing_lb_scheme_annotation
input.request.object.metadata.annotations[lb_scheme] != "internal"
msg := sprintf("Annotation '%v' must have value 'internal'", [lb_scheme])
}
is_lb_create {
input.request.kind.kind == "Service"
input.request.operation == "CREATE"
input.request.object.spec.type == "LoadBalancer"
}
missing_lb_scheme_annotation {
not input.request.object.metadata.annotations
}
missing_lb_scheme_annotation {
not input.request.object.metadata.annotations[lb_scheme]
}Here's a playground link with input, if you'd like to try it out. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks so I am not understanding the lines that allow the loadbalancer if it meets the specified annotation requirement
On Wednesday, March 23, 2022, 05:26:45 AM CDT, Anders Eknert ***@***.***> wrote:
I'd probably write two rules for this - one to check that the annotation is present at all, and another one to check for the value of that specific annotation. Something like this might do:
package kubernetes.admission
import data.kubernetes.namespaces
lb_scheme := "service.beta.kubernetes.io/aws-load-balancer-scheme"
deny[msg] {
is_lb_create
missing_lb_scheme_annotation
msg := sprintf("Service '%v' missing required annotation '%v'", [input.request.object.metadata.name, lb_scheme])
}
deny[msg] {
is_lb_create
not missing_lb_scheme_annotation
input.request.object.metadata.annotations[lb_scheme] != "internal"
msg := sprintf("Annotation '%v' must have value 'internal'", [lb_scheme])
}
is_lb_create {
input.request.kind.kind == "Service"
input.request.operation == "CREATE"
input.request.object.spec.type == "LoadBalancer"
}
missing_lb_scheme_annotation {
not input.request.object.metadata.annotations
}
missing_lb_scheme_annotation {
not input.request.object.metadata.annotations[lb_scheme]
}
Here's a playground link with input, if you'd like to try it out.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Could you please be more specific? |
Beta Was this translation helpful? Give feedback.
-
|
Sorry I miss read it I see that section...thanks again I appreciate the help. |
Beta Was this translation helpful? Give feedback.
-
How do I write my .rego file to deny creation of loadbalancer except with specific annotation in .rego file...see below what I have tried
package kubernetes.admission
import data.kubernetes.namespaces
import input.request.object.metadata.annotations as annotations
deny[msg] {
input.request.kind.kind = "Service"
input.request.operation = "CREATE"
input.request.object.spec.type = "LoadBalancer"
missing_required_annotations[msg]
}
missing_required_annotations[msg] {
not annotations["service.beta.kubernetes.io/aws-load-balancer-scheme = "internal"] = internal
}
Beta Was this translation helpful? Give feedback.
All reactions