Morgan Hoffman · 35077ae2 · ae35c00c · 35077ae2
--- a/rego/allow_rollout_restart/policy.rego

+ 12

− 5
+++ b/rego/allow_rollout_restart/policy.rego

+ 12

− 5
 package allow_rollout_restart

-
+# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
    not input.review.userInfo.username == "flux"
+    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
    input.review.kind.kind == "Deployment"
-	input.review.operation == "PATCH"
-    new_annotations := json.remove(input.review.object,["metadata/annotations/kubectl.kubernetes.io.restartedAt"])
-    old_annotations := json.remove(input.review.oldObject,["metadata/annotations/kubectl.kubernetes.io.restartedAt"]) 
+    input.review.operation == "UPDATE"
+    new_annotations := json.remove(input.review.object,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
+    old_patched_annotations := json.patch(input.review.oldObject,[{"op": "add", "path": "spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt", "value": 3}])
+    old_annotations := json.remove(old_patched_annotations,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
    old_annotations != new_annotations
-	msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. Used '%v'", [input.review.object.metadata.annotations] )
+	msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. ",[])
+
 }

+
+contains(grouparray,testgroup) {
+    grouparray[_] = testgroup
+}
+\ No newline at end of file