| Giorgi Lekveishvili | 285ab62 | 2023-11-22 13:50:45 +0400 | [diff] [blame] | 1 | package main |
| 2 | |
| 3 | # validate serviceAccountName |
| 4 | deny[msg] { |
| 5 | input.kind == "DaemonSet" |
| 6 | serviceAccountName := input.spec.template.spec.serviceAccountName |
| 7 | not serviceAccountName == "RELEASE-NAME-metallb-speaker" |
| 8 | msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName]) |
| 9 | } |
| 10 | |
| 11 | # validate METALLB_ML_SECRET_KEY (memberlist) |
| 12 | deny[msg] { |
| 13 | input.kind == "DaemonSet" |
| 14 | not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH" |
| 15 | msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]" |
| 16 | } |
| 17 | |
| 18 | # validate node selector includes builtin when custom ones are provided |
| 19 | deny[msg] { |
| 20 | input.kind == "DaemonSet" |
| 21 | not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux" |
| 22 | msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'" |
| 23 | } |
| 24 | |
| 25 | # validate tolerations include the builtins when custom ones are provided |
| 26 | deny[msg] { |
| 27 | input.kind == "DaemonSet" |
| 28 | not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" } |
| 29 | msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule" |
| 30 | } |