Ensure OPA strict mode compliance

Hi Gatekeeper friends! 👋😃

In order to ensure the Gatekeeper library works with future
updates of OPA, and to better catch some common mistakes in
Rego policy in the future, this PR aims to fix all errors
reported from `opa check --strict src`, and to make sure
future changes are compliant with the OPA
[strict mode](https://www.openpolicyagent.org/docs/latest/policy-language/#strict-mode)
checks.

The errors raised from strict mode, and which are fixed with
this PR, include:

* `input` must not be shadowed/assigned
* Unused function args — use wildcards (`_`) in their place
* Unused local assignment
* Deprecated built-in functions
  * `re_match` -> `regex.match`
  * `all` -> these were not needed
  * `any` -> `strings.any_prefix_match` and `strings.any_suffix_match`
     as these were always used together with `startswith`/`endswith`

The by far most noisy fix was the first one, i.e. `input` getting
shadowed in basically all tests. Changed to use `inp` for a name
as `in` is of course another name we don't want to shadow 😅

The changes here do not change semantics of the code. I did however
also make some additional fixes where e.g. the unused function args
error showed that a function wasn't needed in the first place, and
so on. Naturally, all tests pass as before.

Two things I'm not sure about:

1. The code introduces the `strings.any_prefix_match` and
   `strings.any_suffix_match` built-in functions in one policy. These
   were introduced in OPA v0.44.0, which is quite a few OPA and
   Gatekeeper versions ago. I could not find information on what the
   minimum version of OPA or Gatekeeper must be supported in the Rego
   code in this library. If needed, that change can be reverted.
2. https://github.com/open-policy-agent/gatekeeper-library mentions
   Versioning. Should I update the versions of each policy changed
   with this PR?

To make sure the code stays compliant, I've added the
`opa check --strict` command to execute with the `test.sh` script,
before the unit tests run.

Signed-off-by: Anders Eknert <anders@styra.com>

.github/workflows/workflow.yaml

@@ -45,7 +45,7 @@ jobs:
     strategy:
       matrix:
         os: [ "ubuntu-latest", "macos-latest" ]
-        opa: [ "v0.42.2" ]
+        opa: [ "v0.44.0", "v0.57.1" ]
     name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }}
     steps:
       - name: Harden Runner

artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8sallowedrepos
+displayName: Allowed Repositories
+createdAt: "2023-10-30T20:59:57Z"
+description: Requires container images to begin with a string from the specified list.
+digest: eaff16a982c2d3029b280b3d4061d82b55215ac648efaafa341e25c7c77b635f
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allowedrepos
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Allowed Repositories
+    Requires container images to begin with a string from the specified list.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/allowedrepos/1.0.1/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/allowedrepos/1.0.1/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/allowedrepos/1.0.1/samples/repo-must-be-openpolicyagent/constraint.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAllowedRepos
+metadata:
+  name: repo-is-openpolicyagent
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+      - "default"
+  parameters:
+    repos:
+      - "openpolicyagent/"

artifacthub/library/general/allowedrepos/1.0.1/samples/repo-must-be-openpolicyagent/disallowed_all.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+  - name: nginx
+    image: nginx
+    resources:
+      limits:
+        cpu: "100m"
+        memory: "30Mi"
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"
+  ephemeralContainers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.1/samples/repo-must-be-openpolicyagent/example_allowed.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.1/samples/repo-must-be-openpolicyagent/example_disallowed_both.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+  - name: nginxinit
+    image: nginx
+    resources:
+      limits:
+        cpu: "100m"
+        memory: "30Mi"
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.1/samples/repo-must-be-openpolicyagent/example_disallowed_container.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.1/samples/repo-must-be-openpolicyagent/example_disallowed_initcontainer.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+    - name: nginxinit
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.1/suite.yaml

@@ -0,0 +1,43 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: allowedrepos
+tests:
+- name: allowed-repos
+  template: template.yaml
+  constraint: samples/repo-must-be-openpolicyagent/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/repo-must-be-openpolicyagent/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: container-disallowed
+    object: samples/repo-must-be-openpolicyagent/example_disallowed_container.yaml
+    assertions:
+    - violations: yes
+      message: container
+  - name: initcontainer-disallowed
+    object: samples/repo-must-be-openpolicyagent/example_disallowed_initcontainer.yaml
+    assertions:
+    - violations: 1
+      message: initContainer
+    - violations: 0
+      message: container
+  - name: both-disallowed
+    object: samples/repo-must-be-openpolicyagent/example_disallowed_both.yaml
+    assertions:
+    - violations: 2
+    - message: initContainer
+      violations: 1
+    - message: container
+      violations: 1
+  - name: all-disallowed
+    object: samples/repo-must-be-openpolicyagent/disallowed_all.yaml
+    assertions:
+    - violations: 3
+    - message: initContainer
+      violations: 1
+    - message: container
+      violations: 1
+    - message: ephemeralContainer
+      violations: 1

artifacthub/library/general/allowedrepos/1.0.1/template.yaml

@@ -0,0 +1,46 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+  annotations:
+    metadata.gatekeeper.sh/title: "Allowed Repositories"
+    metadata.gatekeeper.sh/version: 1.0.1
+    description: >-
+      Requires container images to begin with a string from the specified list.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            repos:
+              description: The list of prefixes a container image is allowed to have.
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          not strings.any_prefix_match(container.image, input.parameters.repos)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          not strings.any_prefix_match(container.image, input.parameters.repos)
+          msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          not strings.any_prefix_match(container.image, input.parameters.repos)
+          msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }

artifacthub/library/general/containerlimits/1.0.1/artifacthub-pkg.yml

@@ -0,0 +1,25 @@
+version: 1.0.1
+name: k8scontainerlimits
+displayName: Container Limits
+createdAt: "2023-10-30T20:59:58Z"
+description: |-
+    Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
+    https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+digest: fa0ce11ca6bacb6320053424c65d0626ee7ef96b4d359862eea031b13c8239ce
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/containerlimits
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Container Limits
+    Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
+    https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/containerlimits/1.0.1/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/containerlimits/1.0.1/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/containerlimits/1.0.1/samples/container-must-have-limits/constraint.yaml

@@ -0,0 +1,12 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sContainerLimits
+metadata:
+  name: container-must-have-limits
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    cpu: "200m"
+    memory: "1Gi"

artifacthub/library/general/containerlimits/1.0.1/samples/container-must-have-limits/example_allowed.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "1Gi"

artifacthub/library/general/containerlimits/1.0.1/samples/container-must-have-limits/example_disallowed.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-disallowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "2Gi"

artifacthub/library/general/containerlimits/1.0.1/suite.yaml

@@ -0,0 +1,17 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: containerlimits
+tests:
+- name: container-limits
+  template: template.yaml
+  constraint: samples/container-must-have-limits/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/container-must-have-limits/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/container-must-have-limits/example_disallowed.yaml
+    assertions:
+    - violations: yes