# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: gcpenforcenamingv2 spec: crd: spec: names: kind: GCPEnforceNamingV2 validation: openAPIV3Schema: properties: naming_rules: type: array items: type: object properties: patterns: type: array items: type: string resource: type: string targets: - rego: | package templates.gcp.GCPEnforceNamingConstraintV1 violation[{"msg": msg}] { rule := input.parameters.naming_rules[_] kind := input.review.object.kind kind == rule.kind pattern := rule.patterns[_] name := input.review.object.metadata.name not re_match(pattern, name) msg := sprintf("The resource '%s' of type '%s' didn't follow the regex naming convention %s", [name, kind, pattern]) } # This is to catch failures in FutureObjects generated by the folder-ref kpt fn. violation[{"msg": msg}] { rule := input.parameters.naming_rules[_] kind := input.review.object.kind kind == "FutureObject" input.review.object.spec.object.kind == rule.kind pattern := rule.patterns[_] name := input.review.object.spec.object.metadata.name not re_match(pattern, name) msg := sprintf("The resource '%s' of type '%s' didn't follow the regex naming convention %s", [name, rule.kind, pattern]) } target: admission.k8s.gatekeeper.sh status: {}