Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / f9f0beec8492e05a459bd7080ad095b4cf9292bc / . / charts / metallb / policy / speaker.rego
blob: d4d8137f1c9ea2eb533dfff8383741a122dd4ca1 [file] [log] [blame]
package main
# validate serviceAccountName
deny[msg] {
input.kind == "DaemonSet"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "RELEASE-NAME-metallb-speaker"
msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate METALLB_ML_SECRET_KEY (memberlist)
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH"
msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]"
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}
# validate tolerations include the builtins when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" }
msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule"
}