d0b3c26223
Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).
Policies:
no_ingress.rego
Deny Ingress resources — cluster uses Gateway API only.
gateway_api.rego
HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
group/kind/weight on backendRefs (PR #162, #165).
Gateway: require explicit group on certificateRefs (PR #153).
All fields are defaulted by the controller; omitting them causes
permanent ArgoCD OutOfSync.
resource_normalization.rego
CPU integer: deny unquoted integer cpu values (PR #163).
CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
clusterIP null: deny Service with explicit null clusterIP (PR #166).
Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
95 lines
3.3 KiB
Rego
95 lines
3.3 KiB
Rego
package main
|
|
|
|
# Gateway API resources require several fields to be set explicitly even though
|
|
# the Gateway API controller defaults them. ArgoCD diffs desired vs live by
|
|
# string comparison, so any field the controller defaults that is absent from
|
|
# the git manifest causes a permanent OutOfSync.
|
|
#
|
|
# Affected resources:
|
|
# HTTPRoute / TLSRoute — parentRefs and backendRefs (see PR #162, #165)
|
|
# Gateway — listeners[*].tls.certificateRefs (see PR #153)
|
|
|
|
_route_kinds := {"HTTPRoute", "TLSRoute"}
|
|
|
|
# ---- parentRefs: group must be "gateway.networking.k8s.io" ----
|
|
|
|
deny contains msg if {
|
|
_route_kinds[input.kind]
|
|
ref := input.spec.parentRefs[i]
|
|
object.get(ref, "group", null) != "gateway.networking.k8s.io"
|
|
msg := sprintf(
|
|
"%s %s/%s parentRefs[%d]: add 'group: gateway.networking.k8s.io' — controller defaults this field, causing ArgoCD OutOfSync when omitted",
|
|
[input.kind, input.metadata.namespace, input.metadata.name, i],
|
|
)
|
|
}
|
|
|
|
# ---- parentRefs: kind must be "Gateway" ----
|
|
|
|
deny contains msg if {
|
|
_route_kinds[input.kind]
|
|
ref := input.spec.parentRefs[i]
|
|
object.get(ref, "kind", null) != "Gateway"
|
|
msg := sprintf(
|
|
"%s %s/%s parentRefs[%d]: add 'kind: Gateway' — controller defaults this field, causing ArgoCD OutOfSync when omitted",
|
|
[input.kind, input.metadata.namespace, input.metadata.name, i],
|
|
)
|
|
}
|
|
|
|
# ---- backendRefs: group must be present (may be empty string "") ----
|
|
|
|
deny contains msg if {
|
|
_route_kinds[input.kind]
|
|
rule := input.spec.rules[ri]
|
|
ref := rule.backendRefs[bi]
|
|
not _has_key(ref, "group")
|
|
msg := sprintf(
|
|
"%s %s/%s rules[%d].backendRefs[%d]: add 'group: \"\"' — controller defaults this field, causing ArgoCD OutOfSync when omitted",
|
|
[input.kind, input.metadata.namespace, input.metadata.name, ri, bi],
|
|
)
|
|
}
|
|
|
|
# ---- backendRefs: kind must be "Service" ----
|
|
|
|
deny contains msg if {
|
|
_route_kinds[input.kind]
|
|
rule := input.spec.rules[ri]
|
|
ref := rule.backendRefs[bi]
|
|
object.get(ref, "kind", null) != "Service"
|
|
msg := sprintf(
|
|
"%s %s/%s rules[%d].backendRefs[%d]: add 'kind: Service' — controller defaults this field, causing ArgoCD OutOfSync when omitted",
|
|
[input.kind, input.metadata.namespace, input.metadata.name, ri, bi],
|
|
)
|
|
}
|
|
|
|
# ---- backendRefs: weight must be present ----
|
|
|
|
deny contains msg if {
|
|
_route_kinds[input.kind]
|
|
rule := input.spec.rules[ri]
|
|
ref := rule.backendRefs[bi]
|
|
not _has_key(ref, "weight")
|
|
msg := sprintf(
|
|
"%s %s/%s rules[%d].backendRefs[%d]: add 'weight: 1' — controller defaults this field, causing ArgoCD OutOfSync when omitted",
|
|
[input.kind, input.metadata.namespace, input.metadata.name, ri, bi],
|
|
)
|
|
}
|
|
|
|
# ---- Gateway certificateRefs: group must be present (may be empty string "") ----
|
|
|
|
deny contains msg if {
|
|
input.kind == "Gateway"
|
|
listener := input.spec.listeners[li]
|
|
ref := listener.tls.certificateRefs[ci]
|
|
not _has_key(ref, "group")
|
|
msg := sprintf(
|
|
"Gateway %s/%s listeners[%d].tls.certificateRefs[%d]: add 'group: \"\"' — admission webhook defaults this field, causing ArgoCD OutOfSync when omitted",
|
|
[input.metadata.namespace, input.metadata.name, li, ci],
|
|
)
|
|
}
|
|
|
|
# ---- Helper: key presence check (works for null, "", and any defined value) ----
|
|
|
|
_has_key(obj, key) if {
|
|
_ = obj[key]
|
|
}
|