From a1550a8b239400f0fc79f6768bbcbdca13a9cfad Mon Sep 17 00:00:00 2001
From: AhmedSa-mir <asamir97@hotmail.com>
Date: Thu, 4 Aug 2022 16:39:04 +0200
Subject: [PATCH] Fix Image Tag Policy

---
 policies/ControllerImageTag/policy.rego | 22 ++++++++++------------
 policies/ControllerImageTag/policy.yaml | 24 +++++++++++-------------
 2 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/policies/ControllerImageTag/policy.rego b/policies/ControllerImageTag/policy.rego
index 408e6591..5aa9f40e 100644
--- a/policies/ControllerImageTag/policy.rego
+++ b/policies/ControllerImageTag/policy.rego
@@ -1,4 +1,5 @@
 package weave.advisor.images.image_tag_enforce
+import future.keywords
 
 image_tag := input.parameters.image_tag
 exclude_namespace := input.parameters.exclude_namespace
@@ -8,45 +9,42 @@ exclude_label_value := input.parameters.exclude_label_value
 violation[result] {
   not exclude_namespace == controller_input.metadata.namespace
   not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
-  some i
-  containers = controller_spec.containers[i]
-  splittedUrl = split(containers.image, "/")
+  some i,container in controller_spec.containers
+  splittedUrl = split(container.image, "/")
   image = splittedUrl[count(splittedUrl)-1]
   not contains(image, ":")
   result = {
     "issue detected": true,
-    "msg": sprintf("Container %s image is not tagged", containers[i].name),
+    "msg": sprintf("Container %s image is not tagged", container.name),
     "violating_key": sprintf("spec.template.spec.containers[%v].image", [i])
   }
 }
 
 violation[result] {
-  some i
-  containers = controller_spec.containers[i]
-  splittedUrl = split(containers.image, "/")
+  some i,container in controller_spec.containers
+  splittedUrl = split(container.image, "/")
   image = splittedUrl[count(splittedUrl)-1]
   count(split(image, ":")) == 2
   [image_name, tag] = split(image, ":")
   tag == image_tag
   result = {
     "issue detected": true,
-    "msg": sprintf("Container %s image contains unapproved tag '%v'", [containers[i].name, image_tag]),
+    "msg": sprintf("Container %s image contains unapproved tag '%v'", [container.name, image_tag]),
     "image": image,
     "violating_key": sprintf("spec.template.spec.containers[%v].image", [i])
   }
 }
 
 violation[result] {
-  some i
-  containers = controller_spec.containers[i]
-  splittedUrl = split(containers.image, "/")
+  some i,container in controller_spec.containers
+  splittedUrl = split(container.image, "/")
   image = splittedUrl[count(splittedUrl)-1]
   count(split(image, ":")) == 3
   [image_name, port, tag] = split(image, ":")
   tag == image_tag
   result = {
     "issue detected": true,
-    "msg": sprintf("Container %s image contains unapproved tag:'%v'", [containers[i].name, image_tag]),
+    "msg": sprintf("Container %s image contains unapproved tag:'%v'", [container.name, image_tag]),
     "image": image,
     "violating_key": sprintf("spec.template.spec.containers[%v].image", [i])
   }
diff --git a/policies/ControllerImageTag/policy.yaml b/policies/ControllerImageTag/policy.yaml
index 34b13dd4..56bed151 100644
--- a/policies/ControllerImageTag/policy.yaml
+++ b/policies/ControllerImageTag/policy.yaml
@@ -46,6 +46,7 @@ spec:
       value:
   code: |-
     package weave.advisor.images.image_tag_enforce
+    import future.keywords
 
     image_tag := input.parameters.image_tag
     exclude_namespace := input.parameters.exclude_namespace
@@ -55,45 +56,42 @@ spec:
     violation[result] {
       not exclude_namespace == controller_input.metadata.namespace
       not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
-      some i
-      containers = controller_spec.containers[i]
-      splittedUrl = split(containers.image, "/")
+      some i,container in controller_spec.containers
+      splittedUrl = split(container.image, "/")
       image = splittedUrl[count(splittedUrl)-1]
       not contains(image, ":")
       result = {
         "issue detected": true,
-        "msg": sprintf("Container %s image is not tagged", containers[i].name),
+        "msg": sprintf("Container %s image is not tagged", container.name),
         "violating_key": sprintf("spec.template.spec.containers[%v].image", [i])
       }
     }
 
     violation[result] {
-      some i
-      containers = controller_spec.containers[i]
-      splittedUrl = split(containers.image, "/")
+      some i,container in controller_spec.containers
+      splittedUrl = split(container.image, "/")
       image = splittedUrl[count(splittedUrl)-1]
       count(split(image, ":")) == 2
       [image_name, tag] = split(image, ":")
       tag == image_tag
       result = {
         "issue detected": true,
-        "msg": sprintf("Container %s image contains unapproved tag '%v'", [containers[i].name, image_tag]),
+        "msg": sprintf("Container %s image contains unapproved tag '%v'", [container.name, image_tag]),
         "image": image,
         "violating_key": sprintf("spec.template.spec.containers[%v].image", [i])
       }
     }
 
     violation[result] {
-      some i
-      containers = controller_spec.containers[i]
-      splittedUrl = split(containers.image, "/")
+      some i,container in controller_spec.containers
+      splittedUrl = split(container.image, "/")
       image = splittedUrl[count(splittedUrl)-1]
       count(split(image, ":")) == 3
       [image_name, port, tag] = split(image, ":")
       tag == image_tag
       result = {
         "issue detected": true,
-        "msg": sprintf("Container %s image contains unapproved tag:'%v'", [containers[i].name, image_tag]),
+        "msg": sprintf("Container %s image contains unapproved tag:'%v'", [container.name, image_tag]),
         "image": image,
         "violating_key": sprintf("spec.template.spec.containers[%v].image", [i])
       }
@@ -113,4 +111,4 @@ spec:
 
     contains_kind(kind, kinds) {
       kinds[_] = kind
-    }
+    }
\ No newline at end of file