Expose library/dependency metadata within the rego struct #600
Description
Currently konstraint only exposes the metadata of the object it parses. For libraries the rego policy imports, it removes all metadata.
It would be nice if there is a way to expose the metadata from the import as well.
We intend to use it the following way:
Policy Foo
# METADATA
# title: Foo
# description: Only applies to Deployments in the 'foo', 'bar', and 'baz' namespaces.
# custom:
# matchers:
# kinds:
# - apiGroups:
# - apps
# kinds:
# - Deployment
# namespaces:
# - foo
# - bar
# - baz
package main
import future.keywords.if
import future.keywords.contains
import data.lib.core
import data.exemptions.foo
violation contains msg if {
not is_exempt
msg := sprintf("%v is a Deployment in the foo, bar, or baz namespace", [core.resource])
}
with a cluster specific exemption in the exemption library
# METADATA
# custom:
# matchers:
# namespaces:
# - additional_namespace_we_want_to_restrict
import data.lib.core
is_exempt {
...
}
The default templating doesn't need to make use of this, but if exposed, the custom templating could use this to include the namespace matcher as well easily.