Upgrade rego rules

k8s-school · Jul 3, 2024 · f0489c4 · f0489c4
1 parent de7dc8d
commit f0489c4
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 17 deletions.
diff --git a/labs/3_policies/ex2-podsecurity.sh b/labs/3_policies/ex2-podsecurity.sh
@@ -72,7 +72,7 @@ cat <<EOF | kubectl -n verify-pod-security apply -f -
 apiVersion: v1
 kind: Pod
 metadata:
-  name: busybox-privileged
+  name: busybox-allow-privilege-escalation
 spec:
   containers:
   - name: busybox
@@ -86,7 +86,7 @@ EOF
 alias kubectl-admin="kubectl -n $NS"
 
 kubectl-admin get pods
-kubectl-admin delete pod busybox-privileged
+kubectl-admin delete pod busybox-allow-privilege-escalation
 
 # Baseline level and workload
 # The baseline policy demonstrates sensible defaults while preventing common container exploits.

diff --git a/labs/3_policies/rego/sol1.rego → labs/3_policies/rego/sol1.rego.deprecated b/labs/3_policies/rego/sol1.rego → labs/3_policies/rego/sol1.rego.deprecated
diff --git a/labs/3_policies/rego/sol3.rego b/labs/3_policies/rego/sol3.rego
@@ -1,24 +1,22 @@
 package kubernetes.validating.images
 
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
+import rego.v1
 
 deny contains msg if {
-        input.request.kind.kind == "Pod"
+	input.request.kind.kind == "Pod"
 
-        # The `some` keyword declares local variables. This rule declares a variable
-        # called `container`, with the value any of the input request's spec's container
-        # objects. It then checks if the container object's `"image"` field does not 
-        # start with "hooli.com/".
-        some container in input.request.object.spec.containers
-        endswith(container.image, ":latest")
-    msg := sprintf("Tag 'latest' is forbidden for image %v", [container.image])
+	# The `some` keyword declares local variables. This rule declares a variable
+	# called `container`, with the value any of the input request's spec's container
+	# objects. It then checks if the container object's `"image"` field does not
+	# start with "hooli.com/".
+	some container in input.request.object.spec.containers
+	endswith(container.image, ":latest")
+	msg := sprintf("Tag 'latest' is forbidden for image %v", [container.image])
 }
 
 deny contains msg if {
-   input.request.kind.kind == "Pod"
-   some container2 in input.request.object.spec.containers
-   not contains(container2.image, ":")
-   msg := sprintf("Image must contains a tag for image %v", [container2.image])
+	input.request.kind.kind == "Pod"
+	some container2 in input.request.object.spec.containers
+	not contains(container2.image, ":")
+	msg := sprintf("Image must contains a tag for image %v", [container2.image])
 }