Basic examples
Basic schema use-cases
The following examples may include keywords you are not familiar with.
To learn more about JSON schema and how to use it, see the official documentation
Ensure a specific key exists
The following schema ensures that the key metadata.labels.app exists (regardless of its value):
properties:
metadata:
properties:
labels:
required:
- app
required:
- labels
Set a minimum value for key of a specific kind
The following schema ensures that in a YAML of kind Deployment, the key spec.replicas has a value of 3 or higher:
if:
properties:
kind:
enum:
- Deployment
then:
properties:
spec:
properties:
replicas:
minimum: 3
Note that the key maximum is also available.
Ensure value of a specific key is not one of predefined values
The following schema defines a blacklist of values for the key metadata.namespace:
properties:
metadata:
properties:
namespace:
not:
enum:
- default
- misc
- general
Ensure a specific key is not found in any container
The following schema ensures that the key "badKey" is not defined under any container in the YAML:
definitions:
specContainers:
properties:
spec:
properties:
containers:
type: array
items:
not:
required:
- badKey
allOf:
- $ref: "#/definitions/specContainers"
additionalProperties:
$ref: "#"
Full custom rule examples
Ensure correct environment labels are used
Here is an example of a custom rule logic that will ensure only pre-approved values are used (allow-list) with the label key `environment`:
customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
schema:
properties:
metadata:
properties:
labels:
properties:
environment:
enum:
- prod
- staging
- test
required:
- environment
required:
- labels
Every custom rule must be coupled with a specific policy
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
messageOnFailure: ''
# more rules... #
And this is how the Policy as code file should look:
apiVersion: v1
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
# - name: staging
# rules:
# - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
# messageOnFailure: ''
customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
schema:
properties:
metadata:
properties:
labels:
properties:
environment:
enum:
- prod
- staging
- test
required:
- environment
required:
- labels
Applying the new policies to your account
Enable PaC mode and publish the policies.yaml configuration (read more)
| Dashboard | Terminal |
|---|---|
 |  |
Prevent workload from using the (system) default namespaces
Here is an example of a custom rule logic that will ensure pre-defined `namespace` values are excluded (block-list):
apiVersion: v1
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
# - name: staging
# rules:
# - identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
# messageOnFailure: ''
customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
name: Prevent workload from using the (system) default namespaces [CUSTOM RULE]
defaultMessageOnFailure: Don't use saved namespaces (`default`, `kube-node-lease`, `kube-public` and `kube-system`)
schema:
properties:
metadata:
properties:
namespace:
not:
enum:
- default
- kube-node-lease
- kube-public
- kube-syste
required:
- namespace
The above rule enforces similar logic to our built-in rule - ☑️ Prevent workload from using the default namespace
Ensure Deployment has replicas set between 2-10
Here is an example of a custom rule logic that will ensure the number of `replicas` is set between 2-10 for resources kind `Deployment`:
apiVersion: v1
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
# - name: staging
# rules:
# - identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
# messageOnFailure: ''
customRules:
- identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
name: Ensure Deployment has replicas set between 2-10 [CUSTOM RULE]
defaultMessageOnFailure: Running 2 or more replicas will increase the availability of the service
schema:
if:
properties:
kind:
enum:
- Deployment
then:
properties:
spec:
properties:
replicas:
minimum: 2
maximum: 10
required:
- replicas
The above rule enforces similar logic to our built-in rule - ☑️ Ensure Deployment has more than one replica configured;