package bluejayinfra.traefik_vip_backend_ports

has_vip {
  some i
  some j
  input.spec.egress[i].to[j].ipBlock.cidr == "10.0.56.200/32"
}

has_port(port) {
  some i
  some j
  input.spec.egress[i].ports[j].port == port
}

deny[msg] {
  input.kind == "NetworkPolicy"
  has_vip
  has_port(443)
  not has_port(8443)
  msg := sprintf("NetworkPolicy %s/%s allows 10.0.56.200:443 without backend port 8443", [input.metadata.namespace, input.metadata.name])
}

deny[msg] {
  input.kind == "NetworkPolicy"
  has_vip
  has_port(80)
  not has_port(8080)
  not has_port(8000)
  msg := sprintf("NetworkPolicy %s/%s allows 10.0.56.200:80 without backend HTTP port 8080 or 8000", [input.metadata.namespace, input.metadata.name])
}