Update simple Kubernetes deployment example #1343
Conversation
| input.kind == "Pod" | ||
| container := input.spec.containers[_] | ||
| not re_match("^registry.acmecorp.com/.+$", container.image) | ||
| deny["Invalid image registry"] { |
There was a problem hiding this comment.
If the goal is to show just OPA and not relate it to the admission controller should we change the policy to not look like the admission requests at all? The changes made are substantial if you know what the admission requests look like, but the policy is still showing the same sort of behavior.
Maybe we just show the same example as the docker one earlier in that page?
There was a problem hiding this comment.
The thought crossed my mind at the time. I've updated it to avoid lingering confusion. LMKWYT.
| deny { | ||
| not input.metadata.labels.customer | ||
| deny["Missing customer label"] { | ||
| not input.tags.customer | ||
| } |
There was a problem hiding this comment.
It would be useful to also show a rule that returns a true/false
There was a problem hiding this comment.
The policy now matches the Docker example above. If we want to include true/false examples here, we could come back and add it later. Not sure it's required though.
Fixes open-policy-agent#874 Signed-off-by: Torin Sandall <torinsandall@gmail.com>
tsandall
force-pushed
the
add-note-to-kubernetes-deployments
branch
from
a74f5bf to
4cecfb8
Compare
Fixes #874
Signed-off-by: Torin Sandall torinsandall@gmail.com