Add OPA examples on pathType restrictions

docs/examples/openpolicyagent/README.md

@@ -0,0 +1,25 @@
+# OpenPolicyAgent and pathType enforcing
+
+Ingress API allows users to specify different [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) 
+on Ingress object. 
+
+While pathType `Exact` and `Prefix` should allow only a small set of characters, pathType `ImplementationSpecific`
+allows any characters, as it may contain regexes, variables and other features that may be specific of the Ingress 
+Controller being used.
+
+This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users 
+allowed to use `pathType: ImplementationSpecific`, as this may allow arbitrary configuration, and this 
+configuration may end on the proxy (aka Nginx) configuration.
+
+## Example
+The example in this repo uses [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/) to block the usage of `pathType: ImplementationSpecific`, 
+allowing just a specific list of namespaces to use it.
+
+It is recommended that the admin modifies this rules to enforce a specific set of characters when the usage of ImplementationSpecific
+is allowed, or in ways that best suits their needs.
+
+First, the `ConstraintTemplate` from [template.yaml](template.yaml) will define a rule that validates if the Ingress object 
+is being created on an excempted namespace, and case not, will validate its pathType.
+
+Then, the rule `K8sBlockIngressPathType` contained in [rule.yaml](rule.yaml) will define the parameters: what kind of 
+object should be verified (Ingress), what are the excempted namespaces, and what kinds of pathType are blocked.

docs/examples/openpolicyagent/rule.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sBlockIngressPathType
+metadata:
+  name: implspecificisblocked
+spec:
+  match:
+    kinds:
+      - apiGroups: ["networking.k8s.io"]
+        kinds: ["Ingress"]
+  parameters:
+    namespacesExceptions:
+      - "privileged"
+    blockedTypes:
+      - "ImplementationSpecific"

docs/examples/openpolicyagent/template.yaml

@@ -0,0 +1,40 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblockingresspathtype
+  annotations:
+    metadata.gatekeeper.sh/title: "Block a pathType usage"
+    description: >-
+      Users should not be able to use specific pathTypes
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockIngressPathType
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            blockedTypes:
+              type: array
+              items: 
+                type: string 
+            namespacesExceptions:
+              type: array
+              items: 
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package K8sBlockIngressPathType
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Ingress"
+          ns := input.review.object.metadata.namespace
+          excemptNS := [good | excempts = input.parameters.namespacesExceptions[_] ; good = excempts == ns]
+          not any(excemptNS)
+          pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "")
+          blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType]
+          any(blockedPath)
+          msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType])
+        }

docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  creationTimestamp: null
+  name: simple
+  namespace: privileged
+spec:
+  rules:
+  - host: foo1.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: svc1
+            port:
+              number: 8080
+        path: /bar
+        pathType: ImplementationSpecific

docs/examples/openpolicyagent/tests/should-allow.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  creationTimestamp: null
+  name: simple
+spec:
+  rules:
+  - host: foo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: svc1
+            port:
+              number: 8080
+        path: /bar
+        pathType: Exact

docs/examples/openpolicyagent/tests/should-deny.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  creationTimestamp: null
+  name: simple
+spec:
+  rules:
+  - host: foo2.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: svc1
+            port:
+              number: 8080
+        path: /bar
+        pathType: ImplementationSpecific

mkdocs.yml

@@ -126,6 +126,7 @@ nav:
       - Static IPs: "examples/static-ip/README.md"
       - TLS termination: "examples/tls-termination/README.md"
       - Pod Security Policy (PSP): "examples/psp/README.md"
+      - Open Policy Agent rules: "examples/openpolicyagent/README.md"
   - Developer Guide:
       - Getting Started: "developer-guide/getting-started.md"
       - Code Overview: "developer-guide/code-overview.md"