package bluejayinfra.public_egress_dns_none

public_egress_workloads := {
  "asterisk",
  "fc-llm-bridge",
  "mysql-web",
  "php-web",
  "ttsreader-align",
  "ttsreader-kokoro",
  "ttsreader-modern",
  "ttsreader-piper",
}

deny[msg] {
  input.kind == "Deployment"
  public_egress_workloads[input.metadata.name]
  object.get(input.spec.template.spec, "dnsPolicy", "") != "None"
  msg := sprintf("Deployment %s/%s must set dnsPolicy: None for public-internet egress", [input.metadata.namespace, input.metadata.name])
}

deny[msg] {
  input.kind == "Deployment"
  public_egress_workloads[input.metadata.name]
  search := object.get(object.get(input.spec.template.spec, "dnsConfig", {}), "searches", [])[_]
  contains(lower(search), "iamworkin.lan")
  msg := sprintf("Deployment %s/%s must not include iamworkin.lan in dnsConfig.searches", [input.metadata.namespace, input.metadata.name])
}