Skip to content

Commit

Permalink
Add namespace check for workload connections in exposure rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@kooomix
kooomix committed Jan 15, 2025
1 parent e4e9e7c commit 7c55420
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions rules/exposure-to-internet/raw.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msga] {
wl := input[_]
spec_template_spec_patterns := {"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Pod", "Job", "CronJob"}
spec_template_spec_patterns[wl.kind]
is_same_namespace(wl.metadata, service.metadata)
pod := get_pod_spec(wl)["spec"]
wl_connected_to_service(pod, service)
failPath := ["spec.type"]
Expand Down

0 comments on commit 7c55420

Please sign in to comment.