# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # [START anthosconfig_ci_pipeline_unstructured_banned_key_template] apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sbannedconfigmapkeysv1 spec: crd: spec: names: kind: K8sBannedConfigMapKeysV1 validation: openAPIV3Schema: properties: keys: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: |- package ban_keys violation[{"msg": sprintf("%v", [val])}] { keys = {key | input.review.object.data[key]} banned = {key | input.parameters.keys[_] = key} overlap = keys & banned count(overlap) > 0 val := sprintf("The following banned keys are being used in the config map: %v", [overlap]) } # [END anthosconfig_ci_pipeline_unstructured_banned_key_template]