Code Snippets Open Policy Agent

Short texts Open Policy Agent 🧑‍💻 Code snippets Open Policy Agent ✍️ Reading lists Open Policy Agent 👀

Obtain access token from Google

access_token := http.send({ “method”: “POST”, “url”: “https://oauth2.googleapis.com/token”, “headers”: {“Content-Type”: “application/x-www-form-urlencoded”}, “raw_body”: sprintf(“grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=%s”, [auth_token]), }).body.access_token

Obtaining an access token for use against Google API’s

package google_api_client now_s := round(time.now_ns() / 1000000000) auth_token := io.jwt.encode_sign( { “alg”: “RS256”, “typ”: “JWT” }, { “iss”: “”, # Replace with whatever scopes needed “scope”: “https://www.googleapis.com/auth/calendar.events.readonly”, “aud”: “https://oauth2.googleapis.com/token”, “exp”: now_s + 3600, “iat”: now_s }, # SIGNING_KEY is the PEM encoded private_key from the credentials file crypto.x509.parse_rsa_private_key(opa.runtime().env.SIGNING_KEY) ) access_token := http.send({ “method”: “POST”, “url”: […]

deny_privileged_mode.rego

package kubernetes.validating.deny_privileged_mode deny[msg] { some c input_container[c] c.securityContext.privileged msg := sprintf(“Container ‘%v’ should not run in privileged mode.”, [c.name]) } input_container[container] { container := input.request.object.spec.containers[_] } input_container[container] { container := input.request.object.spec.initContainers[_] }

deny_host_namespaces.rego

package kubernetes.validating.deny_host_namespaces deny[msg] { input.request.kind.kind == “Pod” input.request.object.spec.hostNetwork == true msg := “Pod cannot be created with hostNetwork enabled.” } deny[msg] { input.request.kind.kind == “Pod” input.request.object.spec.hostPID == true msg := “Pod cannot be created with hostPID enabled.” } deny[msg] { input.request.kind.kind == “Pod” input.request.object.spec.hostIPC == true msg := “Pod cannot be created with hostIPC enabled.” […]

deny_privilege_escalation.rego

package kubernetes.validating.deny_privilege_escalation deny[msg] { some c input_container[c] not c.securityContext.allowPrivilegeEscalation == false msg := sprintf(“Container ‘%v’ should not have allowPrivilegeEscalation set to true.”, [c.name]) } input_container[container] { container := input.request.object.spec.containers[_] } input_container[container] { container := input.request.object.spec.initContainers[_] }