Added K8sHttpsOnly and K8sExternalIPs

71c83e02 · Tunde Oladipupo · michaelmcleroy · f062f5ca · 71c83e02 · 71c83e02
Commit 71c83e02 authored May 28, 2021 by Tunde Oladipupo Committed by michaelmcleroy May 28, 2021
4 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,9 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [3.3.0-bb.2] - 2021-05-27
+Added Constraint Templates
 ## [3.3.0-bb.1] - 2021-05-17
 Added helm test

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -3,7 +3,7 @@ description: A Helm chart for Gatekeeper
 name: gatekeeper
 keywords:
  - open policy agent
-version: 3.3.0-bb.1
+version: 3.3.0-bb.2
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
  - https://github.com/open-policy-agent/gatekeeper.git

--- a/chart/templates/constraint-templates/14_K8sHttpsOnly.yaml
+++ b/chart/templates/constraint-templates/14_K8sHttpsOnly.yaml
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8shttpsonly
+  annotations:
+    description: Requires Ingress resources to be HTTPS only; TLS configuration should
+      be set and `kubernetes.io/ingress.allow-http` annotation equals false.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sHttpsOnly
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8shttpsonly
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Ingress"
+          re_match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion)
+          ingress := input.review.object
+          not https_complete(ingress)
+          msg := sprintf("Ingress should be https. tls configuration and allow-http=false annotation are required for %v", [ingress.metadata.name])
+        }
+        https_complete(ingress) = true {
+          ingress.spec["tls"]
+          count(ingress.spec.tls) > 0
+          ingress.metadata.annotations["kubernetes.io/ingress.allow-http"] == "false"
+        }
\ No newline at end of file
--- a/chart/templates/constraint-templates/16_K8sExternalIPs.yaml
+++ b/chart/templates/constraint-templates/16_K8sExternalIPs.yaml
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sexternalips
+  annotations:
+    description: "Restricts Services from containing externalIPs except those in a provided allowlist."
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sExternalIPs
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            allowedIPs:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sexternalips
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Service"
+          input.review.kind.group == ""
+          allowedIPs := {ip | ip := input.parameters.allowedIPs[_]}
+          externalIPs := {ip | ip := input.review.object.spec.externalIPs[_]}
+          forbiddenIPs := externalIPs - allowedIPs
+          count(forbiddenIPs) > 0
+          msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs])
+        }
\ No newline at end of file