Rename deny rule to violation

We should push a release after merging this PR to make sure demo/example still work. Signed-off-by: Max Smythe <smythe@google.com>
open-policy-agent · Jul 2, 2019 · 4595ef4 · 4595ef4
1 parent e162885
commit 4595ef4
Show file tree

Hide file tree

Showing 19 changed files with 66 additions and 63 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/README.md b/README.md
@@ -142,7 +142,7 @@ spec:
       rego: |
         package k8srequiredlabels
 
-        deny[{"msg": msg, "details": {"missing_labels": missing}}] {
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
           provided := {label | input.review.object.metadata.labels[label]}
           required := {label | label := input.constraint.spec.parameters.labels[_]}
           missing := required - provided

diff --git a/demo/agilebank/remediation/k8sbannedimagetags_template.yaml b/demo/agilebank/remediation/k8sbannedimagetags_template.yaml
@@ -23,7 +23,7 @@ spec:
       rego: |
         package k8sbannedimagetags
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           img_split := split(container.image, ":")
           tag := img_split[count(img_split) - 1]

diff --git a/demo/agilebank/templates/k8sallowedrepos_template.yaml b/demo/agilebank/templates/k8sallowedrepos_template.yaml
@@ -23,7 +23,7 @@ spec:
       rego: |
         package k8sallowedrepos
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           satisfied := [good | repo = input.constraint.spec.parameters.repos[_] ; good = startswith(container.image, repo)]
           not any(satisfied)

diff --git a/demo/agilebank/templates/k8scontainterlimits_template.yaml b/demo/agilebank/templates/k8scontainterlimits_template.yaml
@@ -124,45 +124,45 @@ spec:
           new := to_number(raw) * mem_multiple(suffix)
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           cpu_orig := container.resources.limits.cpu
           not canonify_cpu(cpu_orig)
           msg := sprintf("container <%v> cpu limit <%v> could not be parsed", [container.name, cpu_orig])
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           mem_orig := container.resources.limits.memory
           not canonify_mem(mem_orig)
           msg := sprintf("container <%v> memory limit <%v> could not be parsed", [container.name, mem_orig])
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           not container.resources
           msg := sprintf("container <%v> has no resource limits", [container.name])
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           not container.resources.limits
           msg := sprintf("container <%v> has no resource limits", [container.name])
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           missing(container.resources.limits, "cpu")
           msg := sprintf("container <%v> has no cpu limit", [container.name])
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           missing(container.resources.limits, "memory")
           msg := sprintf("container <%v> has no memory limit", [container.name])
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           cpu_orig := container.resources.limits.cpu
           cpu := canonify_cpu(cpu_orig)
@@ -172,7 +172,7 @@ spec:
           msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig])
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           mem_orig := container.resources.limits.memory
           mem := canonify_mem(mem_orig)

diff --git a/demo/agilebank/templates/k8srequiredlabels_template.yaml b/demo/agilebank/templates/k8srequiredlabels_template.yaml
@@ -39,7 +39,7 @@ spec:
           msg := constraint.spec.parameters.message
         }
 
-        deny[{"msg": msg, "details": {"missing_labels": missing}}] {
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
           provided := {label | input.review.object.metadata.labels[label]}
           required := {label | label := input.constraint.spec.parameters.labels[_].key}
           missing := required - provided
@@ -48,7 +48,7 @@ spec:
           msg := get_message(input.constraint, def_msg)
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           value := input.review.object.metadata.labels[key]
           expected := input.constraint.spec.parameters.labels[_]
           expected.key == key

diff --git a/demo/agilebank/templates/k8suniqueserviceselector_template.yaml b/demo/agilebank/templates/k8suniqueserviceselector_template.yaml
@@ -39,7 +39,7 @@ spec:
           flattened := concat(",", sort(selectors))
         }
 
-        deny[{"msg": msg}] {
+        violation[{"msg": msg}] {
           input.review.kind.kind == "Service"
           input.review.kind.version == "v1"
           input.review.kind.group == ""

diff --git a/demo/basic/bad/bad_template.yaml b/demo/basic/bad/bad_template.yaml
@@ -46,7 +46,7 @@ spec:
           obj.apiVersion == make_apiversion(review.kind)
         }
 
-        deny[{"msg": msg, "details": {"value": val, "label": label}}]
+        violation[{"msg": msg, "details": {"value": val, "label": label}}]
           label := input.constraint.spec.parameters.label
           val := input.review.object.metadata.labels[label]
           cluster_objs := [o | o = data.inventory.cluster[_][_][_]; not identical_cluster(o, input.review)]

diff --git a/demo/basic/templates/k8srequiredlabels_template.yaml b/demo/basic/templates/k8srequiredlabels_template.yaml
@@ -22,7 +22,7 @@ spec:
       rego: |
         package k8srequiredlabels
 
-        deny[{"msg": msg, "details": {"missing_labels": missing}}] {
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
           provided := {label | input.review.object.metadata.labels[label]}
           required := {label | label := input.constraint.spec.parameters.labels[_]}
           missing := required - provided

diff --git a/demo/basic/templates/k8srequiredlabels_template_external_data.yaml b/demo/basic/templates/k8srequiredlabels_template_external_data.yaml
@@ -22,7 +22,7 @@ spec:
       rego: |
         package k8srequiredlabels
 
-        deny[{"msg": msg, "details": {"missing_labels": missing}}] {
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
           provided := {label | input.review.object.metadata.labels[label]}
           required := {label | label := input.constraint.spec.parameters.labels[_]}
           missing := required - provided

diff --git a/demo/basic/templates/k8suniquelabels_template.yaml b/demo/basic/templates/k8suniquelabels_template.yaml
@@ -46,7 +46,7 @@ spec:
           obj.apiVersion == make_apiversion(review.kind)
         }
 
-        deny[{"msg": msg, "details": {"value": val, "label": label}}] {
+        violation[{"msg": msg, "details": {"value": val, "label": label}}] {
           label := input.constraint.spec.parameters.label
           val := input.review.object.metadata.labels[label]
           cluster_objs := [o | o = data.inventory.cluster[_][_][_]; not identical_cluster(o, input.review)]

diff --git a/example/templates/k8srequiredlabels_template.yaml b/example/templates/k8srequiredlabels_template.yaml
@@ -22,7 +22,7 @@ spec:
       rego: |
         package k8srequiredlabels
 
-        deny[{"msg": msg, "details": {"missing_labels": missing}}] {
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
           provided := {label | input.review.object.metadata.labels[label]}
           required := {label | label := input.constraint.spec.parameters.labels[_]}
           missing := required - provided

diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go
@@ -72,7 +72,7 @@ func TestReconcile(t *testing.T) {
 					Rego: `
 package foo
 
-deny[{"msg": "denied!"}] {
+violation[{"msg": "denied!"}] {
 	1 == 1
 }
 `},
@@ -219,7 +219,7 @@ deny[{"msg": "denied!"}] {
 					Rego: `
 package foo
 
-deny[}}}//invalid//rego
+violation[}}}//invalid//rego
 `},
 			},
 		},

diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/README.md b/vendor/github.com/open-policy-agent/frameworks/constraint/README.md
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client_test.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client_test.go
diff --git a/...github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local_test.go b/...github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local_test.go