Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 285ab62ddcc4e1c06fe73d9a318f9db5587a83c3^! / . / charts / metallb / policy / speaker.rego
commit285ab62ddcc4e1c06fe73d9a318f9db5587a83c3[log] [tgz]
authorGiorgi Lekveishvili <lekva@gl-mbp-m1-max.local>Wed Nov 22 13:50:45 2023 +0400
committerGiorgi Lekveishvili <lekva@gl-mbp-m1-max.local>Wed Nov 22 13:50:45 2023 +0400
tree20092705204de76be09285c11b15b8c0a380dbd4
parent743fb432c977f4b7a98d37407cccdbe8605dd9cf [diff] [blame]
update charts

diff --git a/charts/metallb/policy/speaker.rego b/charts/metallb/policy/speaker.rego
new file mode 100644
index 0000000..d4d8137
--- /dev/null
+++ b/charts/metallb/policy/speaker.rego

@@ -0,0 +1,30 @@
+package main
+
+# validate serviceAccountName
+deny[msg] {
+  input.kind == "DaemonSet"
+  serviceAccountName := input.spec.template.spec.serviceAccountName
+  not serviceAccountName == "RELEASE-NAME-metallb-speaker"
+  msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName])
+}
+
+# validate METALLB_ML_SECRET_KEY (memberlist)
+deny[msg] {
+	input.kind == "DaemonSet"
+	not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH"
+	msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]"
+}
+
+# validate node selector includes builtin when custom ones are provided
+deny[msg] {
+  input.kind == "DaemonSet"
+  not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
+  msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
+}
+
+# validate tolerations include the builtins when custom ones are provided
+deny[msg] {
+  input.kind == "DaemonSet"
+  not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" }
+  msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule"
+}