This is a Rego-based OPA policy to support Flux multi-tenancy enforcement. Tested on OpenShift 4.8.
# Install OPA cli via Homebrew
$ brew install opa
# Test every Rego files under the gatekeeper dir, ignore all YAML files, explain fail cases
$ opa test --ignore='*.yaml' --explain=fails gatekeeper/
data.fluxmultitenancy.test_input_valid_helmrelease: PASS (1.795418ms)
data.fluxmultitenancy.test_input_invalid_helmrelease_no_namespace: PASS (1.535869ms)
data.fluxmultitenancy.test_input_invalid_helmrelease_namespace_not_same_as_target_namespace: PASS (1.216364ms)
data.fluxmultitenancy.test_input_invalid_helmrelease_no_service_account_name_defined: PASS (3.470131ms)
data.fluxmultitenancy.test_input_invalid_helmrelease_no_target_namespace_defined: PASS (824.879µs)
data.fluxmultitenancy.test_input_valid_kustomization: PASS (632.87µs)
data.fluxmultitenancy.test_input_invalid_kustomization_no_namespace: PASS (622.671µs)
data.fluxmultitenancy.test_input_invalid_kustomization_namespace_not_same_as_target_namespace: PASS (809.619µs)
data.fluxmultitenancy.test_input_invalid_kustomization_no_service_account_name_defined: PASS (667.91µs)
data.fluxmultitenancy.test_input_invalid_kustomization_no_target_namespace_defined: PASS (657.749µs)
--------------------------------------------------------------------------------
PASS: 10/10This policy enforces the following rules.
- {Kustomization, HelmRelease}'s
spec.serviceAccountNamemust be specified.
- {Kustomization, HelmRelease}'s
spec.targetNamespacemust be specified.
- {Kustomization, HelmRelease}'s
spec.targetNamespacemust be the same as the object's namespace.


