Skip to main content
Version: 1.3

Common Examples

The following are some common use cases and how to achieve them in policy definitions.

Block workloads to certain docker registries

apiVersion: policy.appvia.io/v1alpha1
kind: Policy
metadata:
name: custom.images.registries
spec:
policy:
policy: |
permitted = [
"quay.io/appvia/"
]

violation[response] {
container := input_containers[_]
images := [i | i = permitted[_]; not startswith(container.image, i)]
any(images)
msg := sprintf("container %s using a disallowed image %s", [container.name, container.image])

response = {
"message": msg,
}
}

input_containers[c] {
c := input.review.object.spec.template.spec.containers[_]
}

input_containers[c] {
c := input.review.object.spec.template.spec.initContainers[_]
}

input_containers[c] {
c := input.review.object.spec.initContainers[_]
}

input_containers[c] {
c := input.review.object.spec.containers[_]
}
selectors:
- subject:
scopes:
- '*'
- namespace:
matchLabels:
appvia.io/workspace: "*"
- resource:
groups:
- "*"
resources:
- daemonstes
- deployments
- pods
- replicasets
- statefulsets
verbs:
- create
- patch
- update
target:
selector:
matchExpressions:
- key: appvia.io/stage
operator: Exists

Block users from deploying workloads with certain tags

apiVersion: policy.appvia.io/v1alpha1
kind: Policy
metadata:
name: custom.images.tags
spec:
policy:
policy: |
forbidden = [
"latest"
]

# all images cannot use any tags from the above forbidden list
violation[response] {
container := input_containers[_]
tags := [x | tag = forbidden[_]; x = endswith(container.image, concat(":", ["", tag]))]
any(tags)
msg := sprintf("container %v uses a disallowed tag %s; disallowed tags are %s", [container.name, container.image, forbidden])

response = {
"message": msg,
}
}

# all images must have a tag
violation[response] {
container := input_containers[_]
tag := [contains(container.image, ":")]
not all(tag)
msg := sprintf("container %s didn't specify an image tag %s", [container.name, container.image])

response = {
"message": msg,
}
}

input_containers[c] {
c := input.review.object.spec.template.spec.containers[_]
}

input_containers[c] {
c := input.review.object.spec.template.spec.initContainers[_]
}

input_containers[c] {
c := input.review.object.spec.initContainers[_]
}

input_containers[c] {
c := input.review.object.spec.containers[_]
}
selectors:
- subject:
scopes:
- '*'
- namespace:
matchLabels:
appvia.io/workspace: "*"
- resource:
groups:
- "*"
resources:
- daemonstes
- deployments
- pods
- replicasets
- statefulsets
verbs:
- create
- patch
- update
target:
selector:
matchExpressions:
- key: appvia.io/stage
operator: Exists

Ensure ingresses do not overlap namespaces

apiVersion: policy.appvia.io/v1alpha1
kind: Policy
metadata:
name: custom.ingress.conflicts
spec:
policy:
policy: |
violation[response] {
some other_ns, other_ingress
host := input.request.object.spec.rules[_].host
ingress := data.inventory.ingresses[other_ns][other_ingress]
other_ns != input.request.namespace
ingress.spec.rules[_].host == host

response = {
"message": sprintf("invalid ingress host %q (conflicts with %s/%s)", [host, other_ns, other_ingress])
}
}
selectors:
- subject:
scopes:
- '*'
- namespace:
matchLabels:
appvia.io/workspace: "*"
- resource:
groups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- patch
- update
target:
selector:
matchExpressions:
- key: appvia.io/stage
operator: Exists

Ensure all workloads use read-only filesystems

apiVersion: policy.appvia.io/v1alpha1
kind: Policy
metadata:
name: custom.workload.readonlyfs
spec:
policy:
policy: |
violation[response] {
container = input_containers[_]
not container.securityContext.readOnlyRootFilesystem

response = {
"message": sprintf("container %q not using readonly filesystem %q"", [container.name])
}
}

input_containers[c] {
c := input.review.object.spec.initContainers[_]
}

input_containers[c] {
c := input.review.object.spec.containers[_]
}
selectors:
- subject:
scopes:
- '*'
- namespace:
matchLabels:
appvia.io/workspace: "*"
- resource:
groups:
- core
resources:
- pods
verbs:
- create
- patch
- update
target:
selector:
matchExpressions:
- key: appvia.io/stage
operator: Exists

Forbid production workload egress poilicies on ports

apiVersion: policy.appvia.io/v1alpha1
kind: Policy
metadata:
name: custom.workload.readonlyfs
spec:
policy:
policy: |
forbidden = [
22, 1398
]

contains(list, elem) {
list[_] = elem
}

violation[response] {
rules = input.review.object.spec.egress[_]
allowed = rules.ports[_]
contains(forbidden, allowed.port)

response = {
"message": sprintf("egress policy is using forbidden port", [allowed.port]),
}
}

input_containers[c] {
c := input.review.object.spec.initContainers[_]
}

input_containers[c] {
c := input.review.object.spec.containers[_]
}
selectors:
- subject:
scopes:
- '*'
- namespace:
matchLabels:
appvia.io/workspace: "*"
matchExpressions:
- key: appvia.io/stage
operator: In
values: [prod]
- resource:
groups:
- core
resources:
- pods
verbs:
- create
- patch
- update
target:
selector:
matchExpressions:
- key: appvia.io/stage
operator: Exists