package bluejayinfra.localhost_image_pull_policy

pod_spec(spec) = pod {
  input.kind == "Deployment"
  pod := spec.template.spec
}

pod_spec(spec) = pod {
  input.kind == "StatefulSet"
  pod := spec.template.spec
}

pod_spec(spec) = pod {
  input.kind == "DaemonSet"
  pod := spec.template.spec
}

deny[msg] {
  pod := pod_spec(input.spec)
  container := pod.containers[_]
  startswith(object.get(container, "image", ""), "localhost/")
  object.get(container, "imagePullPolicy", "") != "Never"
  msg := sprintf("%s/%s container %s uses a localhost image without imagePullPolicy: Never", [input.metadata.namespace, input.metadata.name, container.name])
}

deny[msg] {
  pod := pod_spec(input.spec)
  container := pod.initContainers[_]
  startswith(object.get(container, "image", ""), "localhost/")
  object.get(container, "imagePullPolicy", "") != "Never"
  msg := sprintf("%s/%s initContainer %s uses a localhost image without imagePullPolicy: Never", [input.metadata.namespace, input.metadata.name, container.name])
}

deny[msg] {
  pod := pod_spec(input.spec)
  container := pod.containers[_]
  startswith(object.get(container, "image", ""), "fc-")
  not contains(object.get(container, "image", ""), "/")
  msg := sprintf("%s/%s container %s uses a non-localhost FlowerCore image reference %s", [input.metadata.namespace, input.metadata.name, container.name, container.image])
}