Skip to main content

Basic examples

Basic schema use-cases

Ensure a specific key exists

The following schema ensures that the key metadata.labels.app exists (regardless of its value):

properties:
metadata:
properties:
labels:
required:
- app
required:
- labels

Set a minimum value for key of a specific kind

The following schema ensures that in a YAML of kind Deployment, the key spec.replicas has a value of 3 or higher:

if:
properties:
kind:
enum:
- Deployment
then:
properties:
spec:
properties:
replicas:
minimum: 3

Note that the key maximum is also available.

Ensure value of a specific key is not one of predefined values

The following schema defines a blacklist of values for the key metadata.namespace:

properties:
metadata:
properties:
namespace:
not:
enum:
- default
- misc
- general

Full custom rule examples

Ensure correct environment labels are used

Here is an example of a custom rule logic that will ensure only pre-approved values are used (allow-list) with the label key `environment`:

customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
schema:
properties:
metadata:
properties:
labels:
properties:
environment:
enum:
- prod
- staging
- test
required:
- environment
required:
- labels

Every custom rule must be coupled with a specific policy

policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
messageOnFailure: ''
# more rules... #

And this is how the Policy as code file should look:

apiVersion: v1
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
# - name: staging
# rules:
# - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
# messageOnFailure: ''

customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
schema:
properties:
metadata:
properties:
labels:
properties:
environment:
enum:
- prod
- staging
- test
required:
- environment
required:
- labels
tip

Applying the new policies to your account

Enable PaC mode and publish the policies.yaml configuration (read more)

DashboardTerminal

Prevent workload from using the (system) default namespaces

Here is an example of a custom rule logic that will ensure pre-defined `namespace` values are excluded (block-list):

apiVersion: v1
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
# - name: staging
# rules:
# - identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
# messageOnFailure: ''

customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_NAMESPACE_VALUE
name: Prevent workload from using the (system) default namespaces [CUSTOM RULE]
defaultMessageOnFailure: Don't use saved namespaces (`default`, `kube-node-lease`, `kube-public` and `kube-system`)
schema:
properties:
metadata:
properties:
namespace:
not:
enum:
- default
- kube-node-lease
- kube-public
- kube-syste
required:
- namespace

The above rule enforces similar logic to our built-in rule - ☑️ Prevent workload from using the default namespace


Ensure Deployment has replicas set between 2-10

Here is an example of a custom rule logic that will ensure the number of `replicas` is set between 2-10 for resources kind `Deployment`:

apiVersion: v1
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
# - name: staging
# rules:
# - identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
# messageOnFailure: ''

customRules:
- identifier: CUSTOM_DEPLOYMENT_INCORRECT_REPLICAS_VALUE
name: Ensure Deployment has replicas set between 2-10 [CUSTOM RULE]
defaultMessageOnFailure: Running 2 or more replicas will increase the availability of the service
schema:
if:
properties:
kind:
enum:
- Deployment
then:
properties:
spec:
properties:
replicas:
minimum: 2
maximum: 10
required:
- replicas

The above rule enforces similar logic to our built-in rule - ☑️ Ensure Deployment has more than one replica configured;