Overview
In this article, we are going to learn about how to create a Rule for Kubernetes Deployment Manifest.
The policy will check whether the defined label exists in our pod manifest file.
In order to in Rego, we will convert our pod manifest file (which is in Yaml format) to Json format. We will name it as “input.json”
Working Example
Let’s create a Directory called test7 and create 2 files like below:
policy.rego
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
input.kind == "deployment"
provided := { x | input.metadata.labels[x]}
required := { "gatekeeper", "foo"}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
input.json
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "simple-pod",
"labels": {
"gatekeeper": "xyz",
"foo": "bar"
}
},
"spec": {
"containers": [
{
"name": "nginx-container",
"image": "nginx:1.17.4"
}
]
}
}
Understanding Rule
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
input.kind == "deployment"
provided := { x | input.metadata.labels[x]}
required := { "gatekeeper", "foo"}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}In rego, the rule will return true if all the conditions inside rule block are true. In our policy there are 2 conditions:
- input.kind == “deployment”
- count(missing) > 0
In rego, if both the conditions are true, the rule will be true and the “msg” will be displayed. Which means if either of the condition is false, the “msg” will not displayed.
Let’s see this through experiment:
Now let’s test our policy
Testing with existing policy.rego and input.json:
let’s run the below command to test the policy:
opa eval --input input.json --data policy.rego 'data.k8srequiredlabels.violation'The output:
rajeevghosh@penguin:~/OPA/test7$ opa eval --input input.json --data policy.rego 'data.k8srequiredlabels.violation'
{
"result": [
{
"expressions": [
{
"value": [],
"text": "data.k8srequiredlabels.violation",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
rajeevghosh@penguin:~/OPA/test7$ 
The “value” field returns empty list [ ] , since all the conditions are not true ( actually both the conditions are false since – (a) We have kind as “Pod” in input.json and (b) the statement – : count > 0 is false since provided labels and required labels are same !!). Hence, the “msg” will NOT be displayed.
Now let’s make both the conditions are true so that the rule returns true and msg is displayed.
Testing with Modified policy.rego and input.json
Let’s make changes to input.json file like below. remember that our policy.rego file remains same
input.json – before
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "simple-pod",
"labels": {
"gatekeeper": "xyz",
"foo": "bar"
}
},
"spec": {
"containers": [
{
"name": "nginx-container",
"image": "nginx:1.17.4"
}
]
}
}input.json – After
{
"apiVersion": "v1",
"kind": "deployment",
"metadata": {
"name": "simple-pod",
"labels": {
"gatekeeper": "xyz"
}
},
"spec": {
"containers": [
{
"name": "nginx-container",
"image": "nginx:1.17.4"
}
]
}
}
What changes have we made to input.json file ? Well, we have changed kind to “deployment” and have removed one more label : “foo”.
Now let’s test the policy.
opa eval --input input.json --data policy.rego 'data.k8srequiredlabels.violation'The output:
rajeevghosh@penguin:~/OPA/test7$ opa eval --input input.json --data policy.rego 'data.k8srequiredlabels.violation'
{
"result": [
{
"expressions": [
{
"value": [
{
"details": {
"missing_labels": [
"foo"
]
},
"msg": "you must provide labels: {\"foo\"}"
}
],
"text": "data.k8srequiredlabels.violation",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
rajeevghosh@penguin:~/OPA/test7$ 
Please look at the value field, Now we see that the “msg” is displayed. Why ??
This is because both the below conditions are now true in the rule:
- input.kind == “deployment”
- count(missing) > 0
This concludes are 6th tutorial on : OPA (Open Policy Agent): Part-5: Rego – Ensuring labels For Kubernetes Deployment.
You may download the code from here.
Happy Learning !!
At the beginning, I was still puzzled. Since I read your article, I have been very impressed. It has provided a lot of innovative ideas for my thesis related to gate.io. Thank u. But I still have some doubts, can you help me? Thanks.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me. https://accounts.binance.com/fr/register?ref=S5H7X3LP
The point of view of your article has taught me a lot, and I already know how to improve the paper on gate.oi, thank you. https://www.gate.io/pt/signup/9127596
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
While we all greatly appreciateyour honesty about how (and by whom) we are all being scammed psychologically by all the really big players; including the different world governments…… this certainly causes me ANXIETY!!I just wish that there were long articles like this, coming out from Equedia Highlighting Plans being worked on to STOP all this totally Centralized Thievery!!Otherwise, we all just get to sit here and wait to be CRUSHED!