-
Notifications
You must be signed in to change notification settings - Fork 12
/
template.yaml
29 lines (26 loc) · 1.05 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: loadbalancernopublicips
spec:
crd:
spec:
names:
kind: LoadBalancerNoPublicIPs
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package loadbalancernopublicips
violation[{"msg": msg}] {
input.review.object.metadata.namespace != "kube-system"
not loadbalancer_no_pip(input.review.object)
msg := sprintf("Load Balancers should not have public IPs. azure-load-balancer-internal annotation is required for %v", [input.review.object.metadata.name])
}
loadbalancer_no_pip(service) = true {
service.spec.type == "LoadBalancer"
service.metadata.annotations["service.beta.kubernetes.io/azure-load-balancer-internal"] == "true"
}
loadbalancer_no_pip(service) = true {
service.spec.type != "LoadBalancer"
}