Skip to main content

Examples

Here you will find examples for custom rules and common use-cases when writing policy enforcement logic, using both JSON schema and Rego.

To see an example of a ready-to-publish custom rules YAML, skip ahead.

JSON schema​

tip

The following examples may include keywords you are not familiar with.
To learn more about JSON schema and how to use it, see the official documentation

Ensure a specific key exists​

The following schema ensures that the key metadata.labels.app exists (regardless of its value):

properties:
metadata:
properties:
labels:
required:
- app
required:
- labels

Set a minimum value for key of a specific kind​

The following schema ensures that in a YAML of kind Deployment, the key spec.replicas has a value of 3 or higher:

if:
properties:
kind:
enum:
- Deployment
then:
properties:
spec:
properties:
replicas:
minimum: 3

Note that the key maximum is also available.

Ensure value of a specific key is not one of predefined values​

The following schema defines a blacklist of values for the key metadata.namespace:

properties:
metadata:
properties:
namespace:
not:
enum:
- default
- misc
- general

Ensure a specific key is not found in any container​

The following schema ensures that the key "badKey" is not defined under any container in the YAML:

definitions:
specContainers:
properties:
spec:
properties:
containers:
type: array
items:
not:
required:
- badKey
allOf:
- $ref: "#/definitions/specContainers"
additionalProperties:
$ref: "#"

Rego​

Prevent use of predefined image registry​

The following schema ensures that container images are not taken from a predefined registry (bad.registry.com/):

regoDefinition:
code: |
package DenyUnapprovedImageRegistry

violation[isBadRegistryUsed] {
container := input_containers[_]
isBadRegistryUsed := startswith(container.image, "bad.registry.com/")
}

input_containers[c] {
c := input.spec.containers[_]
}

input_containers[c] {
c := input.spec.template.spec.containers[_]
}

Ensure a specific label exists​

The following schema ensures that the label myImportantLabel exists under metadata.labels:

regoDefinition:
code: |
package examplePackage

violation[labelExists] {
provided := {label | input.metadata.labels[label]}
required := {"myImportantLabel"}
missing := required - provided
labelExists := count(missing) > 0
}

Prevent use of 'latest' tag in Deployment containers​

The following schema ensures that the latest tag is not used in any container specified in a Deployment:

regoDefinition:
code: |
package preventlatesttag

violation[usesLatest] {
input.kind == "Deployment"
imagename := input.spec.template.spec.containers[_].image
usesLatest := endswith(imagename, "latest")
}

Full custom rule examples​

The following are examples of how the Policy as code file should look before publishing it.

Reminder

To apply your new policies, publish them via the CLI.

JSON schema​

This example has one custom rule written in JSON schema and added to the policy Starter:

apiVersion: v1
policies:
- name: Starter
rules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels (`prod`, `staging` and `test`)
schema:
properties:
metadata:
properties:
labels:
properties:
environment:
enum:
- prod
- staging
- test
required:
- environment
required:
- labels

Rego​

This example has two custom rules written in Rego and added to the policy Default:

apiVersion: v1
policies:
- name: Default
rules:
- identifier: CUSTOM_DEPLOYMENT_BILLING_LABEL_EXISTS
messageOnFailure: Deployment labels should contain `billing` label
- identifier: CUSTOM_SECRET_ENVIRONMENT_LABEL_EXISTS
messageOnFailure: Secret labels should contain `environment` label
customRules:
- identifier: CUSTOM_DEPLOYMENT_BILLING_LABEL_EXISTS
name: Ensure Deployment has billing label [CUSTOM RULE]
defaultMessageOnFailure: Deployment labels should contain `billing` label
schema:
regoDefinition:
libs:
- |
package lib.helpers
check_if_missing(missing) = isMissing {
isMissing := count(missing) > 0
}
code: |
package requiredlabels
import data.lib.helpers

violation[labelIsMissing] {
input.kind == "Deployment"
provided := {label | input.metadata.labels[label]}
required := {"billing"}
missing := required - provided
labelIsMissing := helpers.check_if_missing(missing)
}
- identifier: CUSTOM_SECRET_ENVIRONMENT_LABEL_EXISTS
name: Ensure Secret has environment label [CUSTOM RULE]
defaultMessageOnFailure: secret labels should contain environment label
schema:
# NOTE: you can write a constraint in JSON schema, and still write the rule logic in Rego
# In this example, the rego code will run only if the tested resource is of kind `Secret`
if:
properties:
kind:
type: string
enum:
- Secret
then:
regoDefinition:
libs:
- |
package lib.helpers
check_if_missing(missing) = isMissing {
isMissing := count(missing) > 0
}
code: |
package foosystemrequiredlabels
import data.lib.helpers

violation[labelIsMissing] {
provided := {label | input.metadata.labels[label]}
required := {"environment"}
missing := required - provided
labelIsMissing := helpers.check_if_missing(missing)
}