Examples
Here you will find examples for custom rules and common use-cases when writing policy enforcement logic, using both JSON schema and Rego.
To see an example of a ready-to-publish custom rules YAML, skip ahead.
JSON schema
The following examples may include keywords you are not familiar with.
To learn more about JSON schema and how to use it, see the official documentation
Ensure a specific key exists
The following schema ensures that the key metadata.labels.app exists (regardless of its value):
properties:
metadata:
properties:
labels:
required:
- app
required:
- labels
Set a minimum value for key of a specific kind
The following schema ensures that in a YAML of kind Deployment, the key spec.replicas has a value of 3 or higher:
if:
properties:
kind:
enum:
- Deployment
then:
properties:
spec:
properties:
replicas:
minimum: 3
Note that the key maximum is also available.
Ensure value of a specific key is not one of predefined values
The following schema defines a blacklist of values for the key metadata.namespace:
properties:
metadata:
properties:
namespace:
not:
enum:
- default
- misc
- general
Ensure a specific key is not found in any container
The following schema ensures that the key "badKey" is not defined under any container in the YAML:
definitions:
specContainers:
properties:
spec:
properties:
containers:
type: array
items:
not:
required:
- badKey
allOf:
- $ref: "#/definitions/specContainers"
additionalProperties:
$ref: "#"
Rego
Prevent use of predefined image registry
The following schema ensures that container images are not taken from a predefined registry (bad.registry.com/):
regoDefinition:
code: |
package DenyUnapprovedImageRegistry
violation[isBadRegistryUsed] {
container := input_containers[_]
isBadRegistryUsed := startswith(container.image, "bad.registry.com/")
}
input_containers[c] {
c := input.spec.containers[_]
}
input_containers[c] {
c := input.spec.template.spec.containers[_]
}
Ensure a specific label exists
The following schema ensures that the label myImportantLabel exists under metadata.labels:
regoDefinition:
code: |
package examplePackage
violation[labelExists] {
provided := {label | input.metadata.labels[label]}
required := {"myImportantLabel"}
missing := required - provided
labelExists := count(missing) > 0
}
Prevent use of 'latest' tag in Deployment containers
The following schema ensures that the latest tag is not used in any container specified in a Deployment:
regoDefinition:
code: |
package preventlatesttag
violation[usesLatest] {
input.kind == "Deployment"
imagename := input.spec.template.spec.containers[_].image
usesLatest := endswith(imagename, "latest")
}
Full custom rule examples
The following are examples of how the Policy as code file should look before publishing it.
To apply your new policies, publish them via the CLI.
JSON schema
This example has one custom rule written in JSON schema and added to the policy Starter:
apiVersion: v1
policies:
- name: Starter
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
schema:
properties:
metadata:
properties:
labels:
properties:
environment:
enum:
- prod
- staging
- test
required:
- environment
required:
- labels
Rego
This example has two custom rules written in Rego and added to the policy Default:
apiVersion: v1
policies:
- name: Default
rules:
- identifier: CUSTOM_DEPLOYMENT_BILLING_LABEL_EXISTS
messageOnFailure: Deployment labels should contain `billing` label
- identifier: CUSTOM_SECRET_ENVIRONMENT_LABEL_EXISTS
messageOnFailure: Secret labels should contain `environment` label
customRules:
- identifier: CUSTOM_DEPLOYMENT_BILLING_LABEL_EXISTS
name: Ensure Deployment has billing label [CUSTOM RULE]
defaultMessageOnFailure: Deployment labels should contain `billing` label
schema:
regoDefinition:
libs:
- |
package lib.helpers
check_if_missing(missing) = isMissing {
isMissing := count(missing) > 0
}
code: |
package requiredlabels
import data.lib.helpers
violation[labelIsMissing] {
input.kind == "Deployment"
provided := {label | input.metadata.labels[label]}
required := {"billing"}
missing := required - provided
labelIsMissing := helpers.check_if_missing(missing)
}
- identifier: CUSTOM_SECRET_ENVIRONMENT_LABEL_EXISTS
name: Ensure Secret has environment label [CUSTOM RULE]
defaultMessageOnFailure: secret labels should contain environment label
schema:
# NOTE: you can write a constraint in JSON schema, and still write the rule logic in Rego
# In this example, the rego code will run only if the tested resource is of kind `Secret`
if:
properties:
kind:
type: string
enum:
- Secret
then:
regoDefinition:
libs:
- |
package lib.helpers
check_if_missing(missing) = isMissing {
isMissing := count(missing) > 0
}
code: |
package foosystemrequiredlabels
import data.lib.helpers
violation[labelIsMissing] {
provided := {label | input.metadata.labels[label]}
required := {"environment"}
missing := required - provided
labelIsMissing := helpers.check_if_missing(missing)
}