update charts

commit: 285ab62ddcc4e1c06fe73d9a318f9db5587a83c3 [log] [tgz]
author: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local> Wed Nov 22 13:50:45 2023 +0400
committer: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local> Wed Nov 22 13:50:45 2023 +0400
tree: 20092705204de76be09285c11b15b8c0a380dbd4
parent: 743fb432c977f4b7a98d37407cccdbe8605dd9cf [diff] [blame]
diff --git a/charts/metallb/policy/rbac.rego b/charts/metallb/policy/rbac.rego
new file mode 100644
index 0000000..047345e
--- /dev/null
+++ b/charts/metallb/policy/rbac.rego

@@ -0,0 +1,27 @@
+package main
+
+# Validate PSP exists in ClusterRole :controller
+deny[msg] {
+  input.kind == "ClusterRole"
+  input.metadata.name == "metallb:controller"
+  input.rules[3] == {
+	"apiGroups": ["policy"],
+	"resources": ["podsecuritypolicies"],
+	"resourceNames": ["metallb-controller"],
+	"verbs": ["use"]
+  }
+  msg = "ClusterRole metallb:controller does not include PSP rule"
+}
+
+# Validate PSP exists in ClusterRole :speaker
+deny[msg] {
+  input.kind == "ClusterRole"
+  input.metadata.name == "metallb:speaker"
+  input.rules[3] == {
+	"apiGroups": ["policy"],
+	"resources": ["podsecuritypolicies"],
+	"resourceNames": ["metallb-controller"],
+	"verbs": ["use"]
+  }
+  msg = "ClusterRole metallb:speaker does not include PSP rule"
+}
commit	285ab62ddcc4e1c06fe73d9a318f9db5587a83c3	[log] [tgz]
author	Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>	Wed Nov 22 13:50:45 2023 +0400
committer	Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>	Wed Nov 22 13:50:45 2023 +0400
tree	20092705204de76be09285c11b15b8c0a380dbd4
parent	743fb432c977f4b7a98d37407cccdbe8605dd9cf [diff] [blame]