oparegoconftest

Rego policy for Kubernets label with /


I'm trying to write some Rego policies to enforce some company labels on our Kubernetes objects, and I'm struggling to get the right syntax for labels that have an additional slash (/) or periods (.) in them.

An example label would be:

metadata:
  labels:
    mycompany.com/teamName: foo-team

A very simple attempt I've tried is

teams := ["foo-team", "bar-team"]

deny_team_label contains msg if {
  not `input.metadata.labels.mycompany.com/team` in teams
  msg := "Must have a valid mycompany.com/team label"
}

But this fails to trigger.

If the label is

metadata:
  labels:
    teamName: foo-team

Then this policy works as expected:

teams := ["foo-team", "bar-team"]

deny_team_label contains msg if {
  not input.metadata.labels.team in teams
  msg := "Must have a valid team label"
}

Solution

  • You can "escape" the part of the path containing characters with a meaning in Rego (such as the dot), by using a string enclosed in brackets:

    teams := ["foo-team", "bar-team"]
    
    deny_team_label contains msg if {
        not input.metadata.labels["mycompany.com/team"] in teams
        msg := "Must have a valid mycompany.com/team label"
    }
    

    See example from the OPA docs here.