expired.rego 733 B

1234567891011121314151617181920212223242526
  1. package certificates.expired
  2. import future.keywords
  3. POLICY_ID := sprintf("certificates_expired_%s_%s", [input.metadata.namespace, input.metadata.name])
  4. POLICY_VERSION := "v0.0.1"
  5. POLICY_SEVERITY := "critical"
  6. POLICY_TITLE := sprintf("Certificate %s/%s should not be expired", [input.metadata.namespace, input.metadata.name])
  7. POLICY_SUCCESS_MESSAGE := sprintf("Success: certificate %s/%s is not expired", [input.metadata.namespace, input.metadata.name])
  8. allow if {
  9. not rfc3339_expired(input.status.notAfter)
  10. }
  11. FAILURE_MESSAGE contains msg if {
  12. rfc3339_expired(input.status.notAfter)
  13. msg := sprintf("Certificate expired at %s", [input.status.notAfter])
  14. }
  15. rfc3339_expired(a) if {
  16. time.parse_rfc3339_ns(a) < time.now_ns()
  17. }