You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Provided example allows unique label to be configured across all namespaces. I tried to make similar change with few tweaks. Basically to allow unique annotation to be configured across all services.
Here is how my violation logic looks like in ConstraintTemplate:
violation[{"msg": msg, "details": {"value": val, "annotation": annotation}}] {
annotation := input.parameters.annotation
val := input.review.object.metadata.annotations[annotation]
cluster_objs := [o | o = data.inventory.cluster[_][_][_]; not identical_cluster(o, input.review)]
ns_objs := [o | o = data.inventory.namespace[_][_][_][_]; not identical_namespace(o, input.review)]
all_objs := array.concat(cluster_objs, ns_objs)
all_values := {val | obj = all_objs[_]; val = obj.metadata.annotations[annotation]}
count({val} - all_values) == 0
msg := sprintf("annotation %v has duplicate value %v", [annotation, val])
}
And a change has been made in spec.crd.spec.validation.openAPIV3Schema.properties.annotation(instead of label) and corresponding change has been in object that this template creates(snippet below).
However, when I create a service 1 with annotation external-dns.alpha.kubernetes.io/hostname: mydomain.com and another service 2 with same annotation(key value pair). OPA doesn't deny it whereas the same logic works for labels for Namespace object. Any pointers that I could look into? Am more curious to know if the syntax used violation logic is right.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Open Policy Agent
Uh oh!
There was an error while loading. Please reload this page.
-
Hello, Newbie in rego here.
Sample provided to create a namespace with unique labels works like a charm.
https://github.com/open-policy-agent/gatekeeper/blob/b7230e0bdc3479b867acd2fd0d7192b1182c59d4/demo/basic/templates/k8suniquelabel_template.yaml#L47
Provided example allows unique label to be configured across all namespaces. I tried to make similar change with few tweaks. Basically to allow unique annotation to be configured across all services.
Here is how my violation logic looks like in ConstraintTemplate:
And a change has been made in spec.crd.spec.validation.openAPIV3Schema.properties.annotation(instead of label) and corresponding change has been in object that this template creates(snippet below).
However, when I create a service 1 with annotation
external-dns.alpha.kubernetes.io/hostname: mydomain.com and another service 2 with same annotation(key value pair). OPA doesn't deny it whereas the same logic works for labels for Namespace object. Any pointers that I could look into? Am more curious to know if the syntax used violation logic is right.Beta Was this translation helpful? Give feedback.
All reactions