In addition to the tool's built-in rules, you can also write any tests that you wish and run them against your Kubernetes configurations to check for rule violations. The custom rule engine is based on JSON Schema, so it supports both YAML and JSON declarative syntax.
Note that using custom rules is possible only when in Policy as code mode.
identifier - a unique ID to associate with a policy
name [OPTIONAL] - a title that will be shown when a rule fails
defaultMessageOnFailure [OPTIONAL] - a message that is shown when the property
policies.name.rules.messageOnFailureis empty (unique to each identifier)
schema - a custom rule logic written in JSON Schema (as YAML)
Here are some examples of basic use-cases:
- Ensure a specific key exists
- Set a minimum value for key of a specific kind
- Ensure value of a specific key is not one of predefined values
Here are three examples of custom rules to showcase how you can set it up:
- Ensure correct environment labels are used
- Prevent workload from using the (system) default namespaces
- Ensure Deployment has replicas set between 2-10
The provided examples are written in YAML schema, but custom rules can also be specified as JSON strings.