Slide 19
Slide 19 text
import "sockaddr"
import "strings"
# Check for create, update, or delete actions to database secrets
precond = rule {
request.operation in ["create", "update", "delete"] and
strings.has_prefix(request.path, “database/")
}
# Requests to come only from self-hosted pipeline runner in a private network
cidrcheck = rule {
sockaddr.is_contained(request.connection.remote_addr, "172.16.0.9/32")
}
# Check the precondition before execute the cidrcheck
main = rule when precond {
cidrcheck
}