Skip to content

Instantly share code, notes, and snippets.

@warmfusion

warmfusion/README.md

Last active May 22, 2019 07:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save warmfusion/531aec5da54b1b248b02f40c48199e19 to your computer and use it in GitHub Desktop.
Save warmfusion/531aec5da54b1b248b02f40c48199e19 to your computer and use it in GitHub Desktop.
Download ZIP
ConfTest - AND behaviour on labels error
Raw
README.md

When testing for two labels being required within a deployment, if either match passes the whole block is accepted.

deny[msg] {
  input.kind = "Deployment"
  not input.spec.selector.matchLabels.app
  not input.spec.selector.matchLabels.release
  msg = sprintf("Deployment[%s] - Containers must provide app/release labls for pod selectors", [name])
}

Expected Behaviour

  • All rules should match before accepting
deployment.yaml
   Deployment[app_only] - Containers must provide app/release labls for pod selectors
   Deployment[release_only] - Containers must provide app/release labls for pod selectors
   Deployment[no_labels] - Containers must provide app/release labls for pod selectors

Actual

$ conftest test deployment.yaml
deployment.yaml
   Deployment[no_labels] - Containers must provide app/release labls for pod selectors

Version

conftest --version
Version: 0.6.0
Commit: a27d0739a785fc52c421339d129267772a15662f
Date: 2019-05-20T07:40:07Z

Test Case

Save the two files given below, and execute using conftest

$ conftest test deployment.yaml
deployment.yaml
   Deployment[no_labels] - Containers must provide app/release labls for pod selectors
Raw
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: only_app
spec:
selector:
matchLabels:
app: example
template:
metadata:
labels:
app: example
spec:
containers:
- image: docker.registry.example/example:latest
name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: only_release
spec:
selector:
matchLabels:
release: "1.0"
template:
metadata:
labels:
app: example
spec:
containers:
- image: docker.registry.example/example:latest
name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pass
spec:
selector:
matchLabels:
app: "example"
release: "1.0"
template:
metadata:
labels:
app: example
spec:
containers:
- image: docker.registry.example/example:latest
name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: no_labels
spec:
selector:
matchLabels:
not: checked
template:
metadata:
labels:
app: example
spec:
containers:
- image: docker.registry.example/example:latest
name: example
Raw
policy-deployment.rego
# Save in `policy/deployment.rego`
package main
name = input.metadata.name
deny[msg] {
input.kind = "Deployment"
not input.spec.selector.matchLabels.app
not input.spec.selector.matchLabels.release
msg = sprintf("Deployment[%s] - Containers must provide app/release labls for pod selectors", [name])
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment