Skip to main content

Basic examples

Basic schema use-cases

Ensure a specific key exists

The following schema ensures that the key metadata.labels.app exists (regardless of its value):

properties:
  metadata:
    properties:
      labels:
        required:
          - app
    required:
      - labels

Set a minimum value for key of a specific kind

The following schema ensures that in a YAML of kind Deployment, the key spec.replicas has a value of 3 or higher:

if:
  properties:
    kind:
      enum:
        - Deployment
then:
  properties:
    spec:
      properties:
        replicas:
          minimum: 3

Note that the key maximum is also available.

Ensure value of a specific key is not one of predefined values

The following schema defines a blacklist of values for the key metadata.namespace:

properties:
  metadata:
    properties:
      namespace:
        not:
          enum:
            - default
            - misc
            - general

Full custom rule examples

Ensure correct environment labels are used

Here is an example of a custom rule logic that will ensure only pre-approved values are used (allow-list) with the label key `environment`:

customRules:
  - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
    name: Ensure correct environment labels are used [CUSTOM RULE]
    defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
    schema:
      properties:
        metadata:
          properties:
            labels:
              properties:
                environment:
                  enum:
                    - prod
                    - staging
                    - test
              required:
                - environment
          required:
            - labels

Every custom rule must be coupled with a specific policy

policies:
  - name: Default
    isDefault: true
    rules:
      - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
        messageOnFailure: ''
        # more rules... #

And this is how the Policy as code file should look:

apiVersion: v1
policies:
  - name: Default
    isDefault: true
    rules:
      - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
        messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
#   - name: staging
#     rules:
#       - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
#         messageOnFailure: ''

customRules:
  - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
    name: Ensure correct environment labels are used [CUSTOM RULE]
    defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
    schema:
      properties:
        metadata:
          properties:
            labels:
              properties:
                environment:
                  enum:
                    - prod
                    - staging
                    - test
              required:
                - environment
          required:
            - labels
tip

Applying the new policies to your account

Enable PaC mode and publish the policies.yaml configuration (read more)

DashboardTerminal

Prevent workload from using the (system) default namespaces

Here is an example of a custom rule logic that will ensure pre-defined `namespace` values are excluded (block-list): 

apiVersion: v1
policies:
  - name: Default
    isDefault: true
    rules:
      - identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
        messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
#   - name: staging
#     rules:
#       - identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
#         messageOnFailure: ''

customRules:
  - identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
    name: Prevent workload from using the (system) default namespaces [CUSTOM RULE]
    defaultMessageOnFailure: Don't use saved namespaces (`default`, `kube-node-lease`, `kube-public` and `kube-system`)
    schema:
      properties:
        metadata:
          properties:
            namespace:
              not:
                enum:
                  - default
                  - kube-node-lease
                  - kube-public
                  - kube-syste
          required:
            - namespace

The above rule enforces similar logic to our built-in rule - ☑️ Prevent workload from using the default namespace


Ensure Deployment has replicas set between 2-10

Here is an example of a custom rule logic that will ensure the number of `replicas` is set between 2-10 for resources kind `Deployment`:

apiVersion: v1
policies:
  - name: Default
    isDefault: true
    rules:
      - identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
        messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
#   - name: staging
#     rules:
#       - identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
#         messageOnFailure: ''

customRules:
  - identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
    name: Ensure Deployment has replicas set between 2-10 [CUSTOM RULE]
    defaultMessageOnFailure: Running 2 or more replicas will increase the availability of the service
    schema:
      if:
        properties:
          kind:
            enum:
              - Deployment
      then:
        properties:
          spec:
            properties:
              replicas:
                minimum: 2
                maximum: 10
            required:
              - replicas

The above rule enforces similar logic to our built-in rule - ☑️ Ensure Deployment has more than one replica configured;