feat: init commit

2023-01-17 22:45:23 +08:00
commit 94130c107c
72 changed files with 7568 additions and 0 deletions
--- a/crates/burrego/test_data/gatekeeper/Makefile
+++ b/crates/burrego/test_data/gatekeeper/Makefile
@@ -0,0 +1,10 @@
+test: policy.wasm
+	bats e2e.bats
+
+policy.wasm: policy.rego
+	opa build -t wasm -e policy/violation -o policy.tar.gz policy.rego
+	tar -xf policy.tar.gz /policy.wasm
+	rm policy.tar.gz
+
+clean:
+	rm -f *.wasm *.tar.gz
--- a/crates/burrego/test_data/gatekeeper/e2e.bats
+++ b/crates/burrego/test_data/gatekeeper/e2e.bats
@@ -0,0 +1,21 @@
+#!/usr/bin/env bats
+
+@test "[accept in namespace]: valid namespace" {
+  run cargo run --example  cli -- -v eval policy.wasm --input-path request-valid.json
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  # request accepted
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*"result":.*\[\]') -ne 0 ]
+}
+
+@test "[accept in namespace]: not valid namespace" {
+  run cargo run --example  cli -- -v eval policy.wasm --input-path request-not-valid.json
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  # request accepted
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*"msg": "object created under an invalid namespace kube-system; allowed namespaces are \[default test\]"') -ne 0 ]
+}
--- a/crates/burrego/test_data/gatekeeper/policy.rego
+++ b/crates/burrego/test_data/gatekeeper/policy.rego
@@ -0,0 +1,8 @@
+package policy
+
+violation[{"msg": msg}] {
+	object_namespace := input.review.object.metadata.namespace
+	satisfied := [allowed_namespace | namespace = input.parameters.allowed_namespaces[_]; allowed_namespace = object_namespace == namespace]
+	not any(satisfied)
+	msg := sprintf("object created under an invalid namespace %s; allowed namespaces are %v", [object_namespace, input.parameters.allowed_namespaces])
+}
--- a/crates/burrego/test_data/gatekeeper/request-not-valid.json
+++ b/crates/burrego/test_data/gatekeeper/request-not-valid.json
@@ -0,0 +1,26 @@
+{
+  "parameters": {
+    "allowed_namespaces": [
+      "default",
+      "test"
+    ]
+  },
+  "review": {
+    "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
+    "kind": {
+      "group": "networking.k8s.io",
+      "kind": "Ingress",
+      "version": "v1"
+    },
+    "object": {
+      "apiVersion": "networking.k8s.io/v1",
+      "kind": "Ingress",
+      "metadata": {
+        "name": "ingress-wildcard-host",
+        "namespace": "kube-system"
+      },
+      "spec": {
+      }
+    }
+  }
+}
--- a/crates/burrego/test_data/gatekeeper/request-valid.json
+++ b/crates/burrego/test_data/gatekeeper/request-valid.json
@@ -0,0 +1,26 @@
+{
+  "parameters": {
+    "allowed_namespaces": [
+      "default",
+      "test"
+    ]
+  },
+  "review": {
+    "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
+    "kind": {
+      "group": "networking.k8s.io",
+      "kind": "Ingress",
+      "version": "v1"
+    },
+    "object": {
+      "apiVersion": "networking.k8s.io/v1",
+      "kind": "Ingress",
+      "metadata": {
+        "name": "ingress-wildcard-host",
+        "namespace": "default"
+      },
+      "spec": {
+      }
+    }
+  }
+}