apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sazureblockdefault
spec:
  crd:
    spec:
      names:
        kind: K8sAzureBlockDefault
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sazureblockdefault

        violation[{"msg": msg}] {
          obj := input.review.object
          is_default_namespace(obj.metadata)
          not is_allowed(obj)
          msg := sprintf("Usage of the default namespace is not allowed, name: %v, kind: %v", [obj.metadata.name, obj.kind])
        }

        is_default_namespace(metadata) {
          not metadata.namespace
        }

        is_default_namespace(metadata) {
          metadata.namespace == "default"
        }

        is_allowed(obj) {
          obj.kind == "ServiceAccount"
          obj.metadata.name == "default"
        }

        is_allowed(obj) {
          obj.kind == "Secret"
          obj.type == "kubernetes.io/service-account-token"
          obj.metadata.annotations["kubernetes.io/service-account.name"] == "default"
        }

        is_allowed(obj) {
          obj.kind == "Service"
          obj.metadata.name == "kubernetes"
        }