feat: init commit

2023-01-17 22:45:23 +08:00
commit 94130c107c
72 changed files with 7568 additions and 0 deletions
--- a/crates/burrego/examples/opa/Makefile
+++ b/crates/burrego/examples/opa/Makefile
@@ -0,0 +1,12 @@
+SOURCES=$(shell find . -name "*.rego")
+OBJECTS=$(SOURCES:%.rego=%.wasm)
+
+all: $(OBJECTS)
+
+%.wasm: %.rego
+	opa build -t wasm -e policy/main utility/policy.rego -o $*.tar.gz $<
+	tar -xf $*.tar.gz --transform "s|policy.wasm|$*.wasm|" /policy.wasm
+	rm $*.tar.gz
+
+clean:
+	rm -f *.wasm *.tar.gz
--- a/crates/burrego/examples/opa/accept-in-namespaces.rego
+++ b/crates/burrego/examples/opa/accept-in-namespaces.rego
@@ -0,0 +1,8 @@
+package kubernetes.admission
+
+deny[msg] {
+	object_namespace := input.request.object.metadata.namespace
+	satisfied := [allowed_namespace | namespace = data.allowed_namespaces[_]; allowed_namespace = object_namespace == namespace]
+	not any(satisfied)
+	msg := sprintf("object created under an invalid namespace %s; allowed namespaces are %v", [object_namespace, data.allowed_namespaces])
+}
--- a/crates/burrego/examples/opa/always-accept.rego
+++ b/crates/burrego/examples/opa/always-accept.rego
@@ -0,0 +1,6 @@
+package kubernetes.admission
+
+deny[msg] {
+	false
+	msg := ""
+}
--- a/crates/burrego/examples/opa/always-reject.rego
+++ b/crates/burrego/examples/opa/always-reject.rego
@@ -0,0 +1,5 @@
+package kubernetes.admission
+
+deny[msg] {
+	msg := "this is not allowed"
+}
--- a/crates/burrego/examples/opa/no-default-namespace.rego
+++ b/crates/burrego/examples/opa/no-default-namespace.rego
@@ -0,0 +1,8 @@
+package kubernetes.admission
+
+# RBAC alone would suffice here, but we create a policy just to show
+# how it can be done as well.
+deny[msg] {
+	input.request.object.metadata.namespace == "default"
+	msg := "you cannot use the default namespace"
+}
--- a/crates/burrego/examples/opa/utility/README.md
+++ b/crates/burrego/examples/opa/utility/README.md
@@ -0,0 +1,12 @@
+# Open Policy Agent utility
+
+This folder contains the entry point for Open Policy Agent policies.
+
+Since Open Policy Agent policies have to produce an `AdmissionReview`
+object, this utility library contains the Rego entry point that
+generates such `AdmissionReview`, based on whether the `deny` query
+inside the package `kubernetes.admission` (defined by the policy
+itself) is evaluated to `true`.
+
+If `deny` evaluates to true, the produced `AdmissionReview` will
+reject the request. Otherwise, it will be accepted.
--- a/crates/burrego/examples/opa/utility/policy.rego
+++ b/crates/burrego/examples/opa/utility/policy.rego
@@ -0,0 +1,23 @@
+package policy
+
+import data.kubernetes.admission
+
+main = {
+	"apiVersion": "admission.k8s.io/v1",
+	"kind": "AdmissionReview",
+	"response": response,
+}
+
+response = {
+	"uid": input.request.uid,
+	"allowed": false,
+	"status": {"message": reason},
+} {
+	reason = concat(", ", admission.deny)
+	reason != ""
+} else = {
+	"uid": input.request.uid,
+	"allowed": true,
+} {
+	true
+}