Skip to content
Permalink
Browse files

Rename deny rule to violation (#169)

* Rename deny rule to violation

We should push a release after merging this PR to make sure demo/example
still work.

Signed-off-by: Max Smythe <smythe@google.com>

* Meet new naming requirements

Signed-off-by: Max Smythe <smythe@google.com>

* Correct constraint template name for basic demo

Signed-off-by: Max Smythe <smythe@google.com>
  • Loading branch information...
maxsmythe committed Jul 8, 2019
1 parent a001518 commit ff6fea6ef476347b54370df50011df5a4c88d6a9

Some generated files are not rendered by default. Learn more.

@@ -142,7 +142,7 @@ spec:
rego: |
package k8srequiredlabels
deny[{"msg": msg, "details": {"missing_labels": missing}}] {
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_]}
missing := required - provided
@@ -23,7 +23,7 @@ spec:
rego: |
package k8sbannedimagetags
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
img_split := split(container.image, ":")
tag := img_split[count(img_split) - 1]
@@ -23,7 +23,7 @@ spec:
rego: |
package k8sallowedrepos
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.constraint.spec.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
@@ -124,45 +124,45 @@ spec:
new := to_number(raw) * mem_multiple(suffix)
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
cpu_orig := container.resources.limits.cpu
not canonify_cpu(cpu_orig)
msg := sprintf("container <%v> cpu limit <%v> could not be parsed", [container.name, cpu_orig])
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
mem_orig := container.resources.limits.memory
not canonify_mem(mem_orig)
msg := sprintf("container <%v> memory limit <%v> could not be parsed", [container.name, mem_orig])
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.resources
msg := sprintf("container <%v> has no resource limits", [container.name])
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.resources.limits
msg := sprintf("container <%v> has no resource limits", [container.name])
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
missing(container.resources.limits, "cpu")
msg := sprintf("container <%v> has no cpu limit", [container.name])
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
missing(container.resources.limits, "memory")
msg := sprintf("container <%v> has no memory limit", [container.name])
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
cpu_orig := container.resources.limits.cpu
cpu := canonify_cpu(cpu_orig)
@@ -172,7 +172,7 @@ spec:
msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig])
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
mem_orig := container.resources.limits.memory
mem := canonify_mem(mem_orig)
@@ -39,7 +39,7 @@ spec:
msg := constraint.spec.parameters.message
}
deny[{"msg": msg, "details": {"missing_labels": missing}}] {
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_].key}
missing := required - provided
@@ -48,7 +48,7 @@ spec:
msg := get_message(input.constraint, def_msg)
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
value := input.review.object.metadata.labels[key]
expected := input.constraint.spec.parameters.labels[_]
expected.key == key
@@ -1,14 +1,14 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
kind: ConstraintTemplate
metadata:
name: k8suniqueserviceselectors
name: k8suniqueserviceselector
spec:
crd:
spec:
names:
kind: K8sUniqueServiceSelector
listKind: K8sUniqueServiceSelectorList
plural: k8suniqueserviceselectors
plural: k8suniqueserviceselector
singular: k8suniqueserviceselector
targets:
- target: admission.k8s.gatekeeper.sh
@@ -39,7 +39,7 @@ spec:
flattened := concat(",", sort(selectors))
}
deny[{"msg": msg}] {
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
input.review.kind.version == "v1"
input.review.kind.group == ""
@@ -46,7 +46,7 @@ spec:
obj.apiVersion == make_apiversion(review.kind)
}
deny[{"msg": msg, "details": {"value": val, "label": label}}]
violation[{"msg": msg, "details": {"value": val, "label": label}}]
label := input.constraint.spec.parameters.label
val := input.review.object.metadata.labels[label]
cluster_objs := [o | o = data.inventory.cluster[_][_][_]; not identical_cluster(o, input.review)]
@@ -22,7 +22,7 @@ spec:
rego: |
package k8srequiredlabels
deny[{"msg": msg, "details": {"missing_labels": missing}}] {
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_]}
missing := required - provided
@@ -22,7 +22,7 @@ spec:
rego: |
package k8srequiredlabels
deny[{"msg": msg, "details": {"missing_labels": missing}}] {
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_]}
missing := required - provided
@@ -1,14 +1,14 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
kind: ConstraintTemplate
metadata:
name: k8suniquelabels
name: k8suniquelabel
spec:
crd:
spec:
names:
kind: K8sUniqueLabel
listKind: K8sUniqueLabelList
plural: k8suniquelabels
plural: k8suniquelabel
singular: k8suniquelabel
validation:
# Schema for the `parameters` field
@@ -46,7 +46,7 @@ spec:
obj.apiVersion == make_apiversion(review.kind)
}
deny[{"msg": msg, "details": {"value": val, "label": label}}] {
violation[{"msg": msg, "details": {"value": val, "label": label}}] {
label := input.constraint.spec.parameters.label
val := input.review.object.metadata.labels[label]
cluster_objs := [o | o = data.inventory.cluster[_][_][_]; not identical_cluster(o, input.review)]
@@ -22,7 +22,7 @@ spec:
rego: |
package k8srequiredlabels
deny[{"msg": msg, "details": {"missing_labels": missing}}] {
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_]}
missing := required - provided
@@ -72,7 +72,7 @@ func TestReconcile(t *testing.T) {
Rego: `
package foo
deny[{"msg": "denied!"}] {
violation[{"msg": "denied!"}] {
1 == 1
}
`},
@@ -219,7 +219,7 @@ deny[{"msg": "denied!"}] {
Rego: `
package foo
deny[}}}//invalid//rego
violation[}}}//invalid//rego
`},
},
},

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

0 comments on commit ff6fea6

Please sign in to comment.
You can’t perform that action at this time.