CUSTOM RULES



Multiple property paths

In some instances, the property that you want to test against is located in several paths. For example, if you want to make sure that all containers images have a pinned version, the property image can be located in multiple paths:

  • When kind is Deployment: spec.template.spec.containers[].image
  • When kind is Pod: spec.containers[].image

To write a JSON Schema that checks the value of the image property in these two locations can be complex. To avoid this complexity, you can implement the following rule logic:

  • The value of the property **.spec.containers[].image should have a pinned version

Here is an example of what that would look like:

YAML

The above rule is enforcing the same logic as our built-in rule - ☑️ Ensure each container image has a pinned (tag) version

Checking CPU and Memory

We extended JSON Schema with the keywords resourceMinimum and resourceMaximum to help create custom rules for comparing memory and CPU resource strings like 1000m and 1G. Here's an example check that memory and CPU fall within a certain range.

Let's say we want to make sure that Kubernetes configs always have a CPU limit within the range of 250m-500m. This how the custom rule to check it would look:

YAML

And this how the policy will look:

policies.yaml

Now, let's test this manifeat after we published the policy.

YAML

This manifest will fail becasue its has a container with a CPU limit that is bigger than 500m: