charts/metallb/policy/rbac.rego - pcloud - Gitiles

 package main

 # Validate PSP exists in ClusterRole :controller
 deny[msg] {
   input.kind == "ClusterRole"
   input.metadata.name == "metallb:controller"
   input.rules[3] == {
 	"apiGroups": ["policy"],
 	"resources": ["podsecuritypolicies"],
 	"resourceNames": ["metallb-controller"],
 	"verbs": ["use"]
   }
   msg = "ClusterRole metallb:controller does not include PSP rule"
 }

 # Validate PSP exists in ClusterRole :speaker
 deny[msg] {
   input.kind == "ClusterRole"
   input.metadata.name == "metallb:speaker"
   input.rules[3] == {
 	"apiGroups": ["policy"],
 	"resources": ["podsecuritypolicies"],
 	"resourceNames": ["metallb-controller"],
 	"verbs": ["use"]
   }
   msg = "ClusterRole metallb:speaker does not include PSP rule"
 }
	package main

	# Validate PSP exists in ClusterRole :controller
	deny[msg] {
	input.kind == "ClusterRole"
	input.metadata.name == "metallb:controller"
	input.rules[3] == {
	"apiGroups": ["policy"],
	"resources": ["podsecuritypolicies"],
	"resourceNames": ["metallb-controller"],
	"verbs": ["use"]
	}
	msg = "ClusterRole metallb:controller does not include PSP rule"
	}

	# Validate PSP exists in ClusterRole :speaker
	deny[msg] {
	input.kind == "ClusterRole"
	input.metadata.name == "metallb:speaker"
	input.rules[3] == {
	"apiGroups": ["policy"],
	"resources": ["podsecuritypolicies"],
	"resourceNames": ["metallb-controller"],
	"verbs": ["use"]
	}
	msg = "ClusterRole metallb:speaker does not include PSP rule"
	}