--- apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: secretnames spec: crd: spec: names: kind: secretNames validation: targets: - target: admission.k8s.gatekeeper.sh rego: | package secretname violation[{"msg": msg}] { input.review.object.metadata.name != sprintf("hdfs-token-%v", [input.review.userInfo.username]) msg := sprintf("Bad secret name: %v:%v", [input.review.userInfo.username, input.review.object.metadata.name]) } --- apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: secretmountnames spec: crd: spec: names: kind: secretMountNames validation: targets: - target: admission.k8s.gatekeeper.sh rego: | package secretmountname import future.keywords.every import future.keywords.if import future.keywords.contains violation[{"msg": msg}] { executorsecrets := input.review.object.spec.executor.secrets some secret in executorsecrets not endswith(secret.name, input.review.userInfo.username) msg := sprintf("Bad secret name to be mounted: %v", [executorsecrets]) } --- apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: serviceaccountexecutors spec: crd: spec: names: kind: serviceAccountExecutors validation: targets: - target: admission.k8s.gatekeeper.sh rego: | package serviceaccountexecutor violation[{"msg": msg}] { not input.review.object.spec.executor.serviceAccount msg := "Missing svc name" } --- apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: goodserviceaccountexecutors spec: crd: spec: names: kind: goodServiceAccountExecutors validation: targets: - target: admission.k8s.gatekeeper.sh rego: | package goodserviceaccountexecutors violation[{"msg": msg}] { input.review.object.spec.executor.serviceAccount != sprintf("spark-run-%v", [input.review.userInfo.username]) msg := sprintf("Bad svc name: %v:%v", [input.review.object.spec.driver.serviceAccount, input.review.object.metadata.name]) }