mirror of
https://gitlab.fabcity.hamburg/software/fab-city-software-kit.git
synced 2024-09-20 04:18:51 +02:00
cleaned policie tests
This commit is contained in:
parent
d29d46fe8f
commit
29ea8a6f88
|
@ -1,24 +0,0 @@
|
|||
package main
|
||||
|
||||
import data.kubernetes
|
||||
|
||||
name = input.metadata.name
|
||||
|
||||
deny[msg] {
|
||||
kubernetes.is_deployment
|
||||
not input.spec.template.spec.securityContext.runAsNonRoot
|
||||
|
||||
msg = sprintf("Containers must not run as root in Deployment %s", [name])
|
||||
}
|
||||
|
||||
required_deployment_selectors {
|
||||
input.spec.selector.matchLabels.app
|
||||
input.spec.selector.matchLabels.release
|
||||
}
|
||||
|
||||
deny[msg] {
|
||||
kubernetes.is_deployment
|
||||
not required_deployment_selectors
|
||||
|
||||
msg = sprintf("Deployment %s must provide app/release labels for pod selectors", [name])
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
package kubernetes
|
||||
|
||||
is_service {
|
||||
input.kind = "Service"
|
||||
}
|
||||
|
||||
is_deployment {
|
||||
input.kind = "Deployment"
|
||||
}
|
|
@ -18,9 +18,3 @@ deny[msg] {
|
|||
not required_deployment_labels
|
||||
msg = sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [name])
|
||||
}
|
||||
|
||||
deny[msg] {
|
||||
input.kind = "Deployment"
|
||||
not input.spec.selector.matchLabels.app
|
||||
msg = "Containers must provide app label for pod selectors"
|
||||
}
|
||||
|
|
|
@ -3,5 +3,5 @@ package main
|
|||
deny[msg] {
|
||||
input.kind = "Deployment"
|
||||
not input.spec.template.spec.securityContext.runAsNonRoot = true
|
||||
msg = "Containers must not run as root"
|
||||
msg = sprintf("%s Containers must not run as root", [name])
|
||||
}
|
11
test/selector.rego
Normal file
11
test/selector.rego
Normal file
|
@ -0,0 +1,11 @@
|
|||
package main
|
||||
|
||||
import data.kubernetes
|
||||
|
||||
name = input.metadata.name
|
||||
|
||||
deny[msg] {
|
||||
input.kind = "Deployment"
|
||||
not input.spec.selector.matchLabels.app
|
||||
msg = sprintf("%s must provide app label for pod selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [name])
|
||||
}
|
Loading…
Reference in a new issue