我正在尝试编写一些Rego策略,以在我们的Kubernetes对象上强制执行一些公司标签,并且我正在努力为其中包含额外斜杠(/(或句点(.(的标签获得正确的语法。
一个示例标签是:
metadata:
labels:
mycompany.com/teamName: foo-team
我尝试过的一个非常简单的尝试是
teams := ["foo-team", "bar-team"]
deny_team_label contains msg if {
not `input.metadata.labels.mycompany.com/team` in teams
msg := "Must have a valid mycompany.com/team label"
}
但这并没有触发。
如果标签是
metadata:
labels:
teamName: foo-team
然后此策略按预期工作:
teams := ["foo-team", "bar-team"]
deny_team_label contains msg if {
not input.metadata.labels.team in teams
msg := "Must have a valid team label"
}
您可以"逃逸;路径中包含Rego中有意义的字符(如点(的部分,使用括号中的字符串:
teams := ["foo-team", "bar-team"]
deny_team_label contains msg if {
not input.metadata.labels["mycompany.com/team"] in teams
msg := "Must have a valid mycompany.com/team label"
}
请参阅此处OPA文档中的示例。