apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sblockingresspathtype
  annotations:
    metadata.gatekeeper.sh/title: "Block a pathType usage"
    description: >-
      Users should not be able to use specific pathTypes
spec:
  crd:
    spec:
      names:
        kind: K8sBlockIngressPathType
      validation:
        openAPIV3Schema:
          type: object
          properties:
            blockedTypes:
              type: array
              items:
                type: string
            namespacesExceptions:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package K8sBlockIngressPathType

        violation[{"msg": msg}] {
          input.review.kind.kind == "Ingress"
          ns := input.review.object.metadata.namespace
          exemptNS := [good | exempts = input.parameters.namespacesExceptions[_] ; good = exempts == ns]
          not any(exemptNS)
          pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "")
          blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType]
          any(blockedPath)
          msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType])
        }