built-in-references/Kubernetes/container-allowed-ports/template.yaml (37 lines of code) (raw):
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sazurecontainerallowedports
spec:
crd:
spec:
names:
kind: K8sAzureContainerAllowedPorts
listKind: K8sAzureContainerAllowedPortsList
plural: k8sazurecontainerallowedports
singular: k8sazurecontainerallowedports
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
allowedPorts:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sazurecontainerallowedports
violation[{"msg": msg}] {
container := input_containers[_]
port := container.ports[_]
format_int(port.containerPort, 10, portstr)
satisfied := [good | allowedPort := input.parameters.allowedPorts[_]; good := (portstr == allowedPort)]
not any(satisfied)
msg := sprintf("Container port %v for container %v has not been allowed.", [portstr, container.name])
}
input_containers[c] {
c := input.review.object.spec.containers[_]
}
input_containers[c] {
c := input.review.object.spec.initContainers[_]
}