github.com/Azure/aad-pod-identity@v1.8.17/validation/gatekeeper/azureidentityformat_template.yaml

github.com/Azure/aad-pod-identity@v1.8.17/validation/gatekeeper/azureidentityformat_template.yaml (about)

     1  apiVersion: templates.gatekeeper.sh/v1beta1
     2  kind: ConstraintTemplate
     3  metadata:
     4    name: azureidentityformat
     5  spec:
     6    crd:
     7      spec:
     8        names:
     9          kind: azureidentityformat
    10    targets:
    11      - target: admission.k8s.gatekeeper.sh
    12        rego: |
    13          package azureidentityformat
    14          violation[{"msg": msg}] {
    15           input.review.kind.kind == "AzureIdentity"
    16           # format of resourceId is checked only for user-assigned MSI
    17           input.review.object.spec.type == 0
    18           resourceId := input.review.object.spec.resourceID
    19           result := re_match(`(?i)/subscriptions/(.+?)/resourcegroups/(.+?)/providers/Microsoft.ManagedIdentity/(.+?)/(.+)`,resourceId)
    20           result == false
    21           msg := sprintf(`The identity resourceId '%v' is invalid.It must be of the following format: '/subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>'`,[resourceId])
    22           }