policies/k8s-registry-deprecation/gatekeeper/deprecated-registry-ct.yaml (108 lines of code) (raw):
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sdeprecatedregistry
labels:
policy.kubernetes.amazon-eks.com/gatekeeper: template
spec:
crd:
spec:
names:
kind: K8sDeprecatedRegistry
validation:
# Schema for the `parameters` field
openAPIV3Schema:
type: object
properties:
allowedOps:
type: array
items:
type: string
deniedRegistries:
type: array
items:
type: string
errMsg:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sdeprecatedregistry
import future.keywords.in
# Pod containers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.containers[_].image
name := input.review.object.spec.containers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# Pod initContainers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.initContainers[_].image
name := input.review.object.spec.initContainers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# Pod ephemeralContainers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.ephemeralContainers[_].image
name := input.review.object.spec.ephemeralContainers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# CronJob containers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.jobTemplate.spec.containers[_].image
name := input.review.object.spec.jobTemplate.spec.containers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# CronJob initContainers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.jobTemplate.spec.initContainers[_].image
name := input.review.object.spec.jobTemplate.spec.initContainers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# CronJob ephemeralContainers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.jobTemplate.spec.ephemeralContainers[_].image
name := input.review.object.spec.jobTemplate.spec.ephemeralContainers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# Workload containers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.template.spec.containers[_].image
name := input.review.object.spec.template.spec.containers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# Workload initContainers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.template.spec.initContainers[_].image
name := input.review.object.spec.template.spec.initContainers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
# Workload ephemeralContainers
violation[{"msg": msg, "details": {}}] {
input.review.operation in input.parameters.allowedOps
image := input.review.object.spec.template.spec.ephemeralContainers[_].image
name := input.review.object.spec.template.spec.ephemeralContainers[_].name
badRegs := input.parameters.deniedRegistries
reg_matches_any(image, badRegs) = true
msg = sprintf("%v: Container=%v, Image=%v. The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used. Resource ID (ns/name/kind): %v/%v/%v",[input.parameters.errMsg, name, image, input.review.object.metadata.namespace, input.review.object.metadata.name, input.review.kind.kind])
}
reg_matches_any(str, patterns) {
reg_matches(str, patterns[_])
}
reg_matches(str, pattern) {
contains(str, pattern)
}