Open Policy Agent
OPA Rego for any type storage class deny creation of default #217
Replies: 10 comments 6 replies
-
|
Hi there! Could you please provide a link to the Rego Playground with both your policy and an example input that you would expect to match? |
Beta Was this translation helpful? Give feedback.
-
|
You could try the import future.keywords.in
deny[msg] {
input.request.operation = "CREATE"
input.request.kind.kind = "storageclass"
"storageclass" in input.request.object.spec.type
annotations["service.beta.kubernetes.io/is-default-class"] != "true"
msg = "StorageClass not permitted"
} |
Beta Was this translation helpful? Give feedback.
-
|
Hello Peter will that block all storage class from creation or just the type default? |
Beta Was this translation helpful? Give feedback.
-
|
Hello,
I am a novice so not sure how to pull the link but here is my rego:
package kubernetes.admission
import data.kubernetes.namespaces
import input.request.object.metadata.annotations as annotations
deny[msg] { input.request.kind.kind = "storageclass" input.request.operation = "CREATE" input.request.object.spec.type[_] = "storageclass" not annotations["service.beta.kubernetes.io/is-default-class"] = "true" msg = "StorageClass not permitted"}
Here is my yaml for test:
apiVersion: storage.k8s.io/v1metadata: name: storageclassdefault annotations: storageclass.9kubernetes.io/is-default-class: "true"provisoner: kubernetes.io/aws-ebsspec: type: defaultparameters: type: default
On Monday, June 20, 2022, 10:19:58 AM CDT, Anders Eknert ***@***.***> wrote:
Hi there! Could you please provide a link to the Rego Playground with both your policy and an example input that you would expect to match?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
|
| | |
|
|
|
| |
Build software better, together
GitHub is where people build software. More than 83 million people use GitHub to discover, fork, and contribute ...
|
|
|
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks Peter,
Am I wrong or would that deny all storage classes. I want to be able to create storage class with the exception of type default. Any kind of storage class can be created it just can not be create as the default of that type of storage. Below is the kinda how I would explain it. The info is just for example only
i.e.StorageClass type: io2 = yes name: meta = yes
i.e.StorageClass type: io2 = yes name: default= no deny
On Monday, June 20, 2022, 06:22:01 PM CDT, Peter ONeill ***@***.***> wrote:
You could try the in keyword.
import future.keywords.in
deny[msg] {
input.request.operation = "CREATE"
input.request.kind.kind = "storageclass"
"storageclass" in input.request.object.spec.type
annotations["service.beta.kubernetes.io/is-default-class"] != "true"
msg = "StorageClass not permitted"
}
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
I would recommend taking the test data you have and dropping it into a Rego Playground to see what the output will be. https://play.openpolicyagent.org/ Once you have a playground configured, hit the publish button and share the link. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks...I have the link below: |
Beta Was this translation helpful? Give feedback.
-
|
You also need to add the input and data to simulate the policy. |
Beta Was this translation helpful? Give feedback.
-
|
It might be easier if you join one of the future office hours. |
Beta Was this translation helpful? Give feedback.
-
|
Setup for 6/28 2:30 PM CST.
On Friday, June 24, 2022 at 11:02:55 AM CDT, Peter ONeill ***@***.***> wrote:
It might be easier if you join one of the future office hours.
https://calendly.com/peter-styra/opa-office-hours
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
I am in the meeting waiting for it to open
On Friday, June 24, 2022, 10:30:21 AM CDT, Peter ONeill ***@***.***> wrote:
I would recommend taking the test data you have and dropping it into a Rego Playground to see what the output will be.
https://play.openpolicyagent.org/
Once you have a playground configured, hit the publish button and share the link.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Checking to see if our call if any updates |
Beta Was this translation helpful? Give feedback.
-
|
@cmwatts1974 sorry for the delay, here is a playground with the actual input from Kubernetes when creating a storage class. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks.
I did an edit to change gp2 reference to default. Can you take a look at my playground. That looks like it . I can create a storage clasee of any kind it just can not be default of that kind (i.e. I can create a (gp2 gp2" but it can not be "gp2 default:" which is my goal)
https://play.openpolicyagent.org/p/ahpd34ABAT
On Tuesday, July 5, 2022 at 04:04:25 PM CDT, Peter ONeill ***@***.***> wrote:
@cmwatts1974 sorry for the delay, here is a playground with the actual input from Kubernetes when creating a storage class.
https://play.openpolicyagent.org/p/9SAWyMXog4
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Yup, that looks good to me, have you tested the policy out yet? |
Beta Was this translation helpful? Give feedback.
-
|
Not yet...just back from being out
On Wednesday, July 6, 2022 at 02:33:17 PM CDT, Peter ONeill ***@***.***> wrote:
Yup, that looks good to me, have you tested the policy out yet?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
I have been struggling with this rego to create a OPA policy. I am new to creating and can;t seem to get it to allow creation of any type of storage class that has a name other than default. I need it to create storage class by deny the standard "default" I tried using [_] so it would find all types of storage class and then if it is default name to deny. Any assistance would be appreciated.
Config below:
package kubernetes.admission
import data.kubernetes.namespaces
import input.request.object.metadata.annotations as annotations
deny[msg] {
input.request.kind.kind = "storageclass"
input.request.operation = "CREATE"
input.request.object.spec.type[_] = "storageclass"
not annotations["service.beta.kubernetes.io/is-default-class"] = "true"
msg = "StorageClass not permitted"
}
Beta Was this translation helpful? Give feedback.
All reactions