package kubernetes.admissionimport data.kubernetes.namespacesimport input.re

1. package kubernetes.admission
2.  
3. import data.kubernetes.namespaces
4.  
5. import input.request.object.metadata.annotations as annotations
6.  
7. deny[msg] {
8. input.request.kind.kind = "Service"
9. input.request.operation = "CREATE"
10. input.request.object.spec.type = "LoadBalancer"
11. missing_required_annotations[msg]
12. }
13.  
14. # Require use of Security Group sg-123
15. missing_required_annotations[msg] {
16. not annotations["service.beta.kubernetes.io/aws-load-balancer-security-groups"] = "sg-123"
17. msg = "Services of type LoadBalancer must use Security Group sg-123"
18. }