forked from meshery/meshery
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbinding.rego
150 lines (124 loc) · 3.83 KB
/
binding.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
---------
package kubernetes_policy
# Verify that each ClusterRoleBinding is bounded to a valid ClusterRole
valid_cluster_role_binding {
clusterRoleBinding := input.clusterRoleBindings[_]
clusterRole := input.clusterRoles[clusterRoleBinding.roleRef.name]
clusterRole != null
clusterRoleBinding.roleRef.kind == "ClusterRole"
}
------------
------------
package k8s_pvc_policies
import data.kubernetes
# Define the main rule to evaluate the relationship between Pod, PV, and PVC
deny_pod_without_claim[pod] {
# Get the PVC name from the pod's spec
pvc_name = pod.spec.volumes[_].persistentVolumeClaim.claimName
# Check if the PVC exists in the cluster
not kubernetes.persistent_volume_claims[pvc_name]
# Ensure that the pod has at least one PVC
count(pvc_name) == 0
}
# Main rule for evaluating relationships between PV and PVC
deny_pv_without_claim[pv] {
# Get the PVC name from the PV's claimRef
pvc_name = pv.spec.claimRef.name
# Check if the PVC exists in the cluster
not kubernetes.persistent_volume_claims[pvc_name]
}
# Define the Kubernetes data schema
package kubernetes {
# Define data structures for Kubernetes resources
pod_manifests = {
"example-pod": {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "example-pod",
},
"spec": {
"volumes": [
{
"name": "data-volume",
"persistentVolumeClaim": {
"claimName": "example-claim",
}
}
],
"containers": [
{
"name": "app-container",
"image": "nginx:latest",
}
],
},
},
}
persistent_volume_claims = {
"example-claim": {
"apiVersion": "v1",
"kind": "PersistentVolumeClaim",
"metadata": {
"name": "example-claim",
},
"spec": {
"accessModes": ["ReadWriteOnce"],
"resources": {
"requests": {
"storage": "1Gi",
},
},
},
},
}
}
------------
------------
package kubernetes_policy
# Verify that each service is associated with a valid deployment
valid_service_deployment {
service := input.services[_]
deployment := input.deployments[service.metadata.name]
deployment != null
deployment.spec.selector.matchLabels == service.spec.selector
}
-----------
----------
package kubernetes_policy
# Helper function to check if two sets are equal
is_set_equal(s1, s2) {
s1 == s2
}
# Verify that the service selectors match the deployment labels
service_deployment_match {
service := input.services[_]
deployment := input.deployments[service.deployment]
is_set_equal(service.selectors, deployment.labels)
}
# Verify that the deployment selectors match the pod labels
deployment_pod_match {
deployment := input.deployments[_]
pod := input.pods[deployment.pod]
is_set_equal(deployment.selectors, pod.labels)
}
# Verify that each service is associated with a valid deployment
valid_service_deployment {
service := input.services[_]
deployment := input.deployments[service.deployment]
deployment != null
}
# Verify that each deployment is associated with a valid pod
valid_deployment_pod {
deployment := input.deployments[_]
pod := input.pods[deployment.pod]
pod != null
}
# Verify that each pod is associated with a valid service
valid_pod_service {
pod := input.pods[_]
deployment := input.deployments[_]
service := input.services[deployment.service]
service != null
}
--------------