Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / refs/heads/main / . / charts / metallb / policy / rbac.rego
blob: 047345ebf95e17d1c2cee213423649b6d26127ac [file] [log] [blame]
Giorgi Lekveishvili285ab622023-11-22 13:50:45 +0400[diff] [blame]1package main
2
3# Validate PSP exists in ClusterRole :controller
4deny[msg] {
5 input.kind == "ClusterRole"
6 input.metadata.name == "metallb:controller"
7 input.rules[3] == {
8 "apiGroups": ["policy"],
9 "resources": ["podsecuritypolicies"],
10 "resourceNames": ["metallb-controller"],
11 "verbs": ["use"]
12 }
13 msg = "ClusterRole metallb:controller does not include PSP rule"
14}
15
16# Validate PSP exists in ClusterRole :speaker
17deny[msg] {
18 input.kind == "ClusterRole"
19 input.metadata.name == "metallb:speaker"
20 input.rules[3] == {
21 "apiGroups": ["policy"],
22 "resources": ["podsecuritypolicies"],
23 "resourceNames": ["metallb-controller"],
24 "verbs": ["use"]
25 }
26 msg = "ClusterRole metallb:speaker does not include PSP rule"
27}