apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sazurereadonlyrootfilesystem spec: crd: spec: names: kind: K8sAzureReadOnlyRootFilesystem targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sazurereadonlyrootfilesystem violation[{"msg": msg, "details": {}}] { c := input_containers[_] input_read_only_root_fs(c) msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name]) } input_read_only_root_fs(c) { not has_field(c, "securityContext") } input_read_only_root_fs(c) { not c.securityContext.readOnlyRootFilesystem == true } input_containers[c] { c := input.review.object.spec.containers[_] } input_containers[c] { c := input.review.object.spec.initContainers[_] } # has_field returns whether an object has a field has_field(object, field) = true { object[field] }