Comments (11)
@garethahealy @sabre1041 the latest release of OPA (v0.28.0) released yesterday contains support for schema annotations and uploading a directory of JSON schemas to the OPA engine. Compared to the previous release it supports schemas for both input and data documents. There are several features for globally scoped annotations and various other scopes, which should hopefully help with Rego library development for COP. Please check it out and let us know if you have any feedback. Hereβs the documentation: https://www.openpolicyagent.org/docs/latest/schemas/ cc: @vazirim
from rego-policies.
@aavarghese i saw the tweet and medium post!
from rego-policies.
@aavarghese @vazirim thoughts?
wondering if this would be resolved by passing in the schemas dir. this PR suggests that's supported but can't see where it made the release and when I've tried to pass in a dir, i get a read error:
opa eval --input /tmp/rhcop/23-03-2021-10-40/policy/ocp/bestpractices/common-k8s-labels-notset/test_data/unit/list.yml --data policy/lib --data policy/ocp/bestpractices/common-k8s-labels-notset/src.rego --schema _test/openshift-json-schema/release-4.5-local/ --profile --format pretty data.ocp.bestpractices.common_k8s_labels_notset read _test/openshift-json-schema/release-4.5-local/: is a directory
from rego-policies.
@garethahealy yes PR 3123 hasn't been merged yet but it's very close. It will be available in the next release of OPA.
It has support for schema directories and schema annotations attached to rules.
from rego-policies.
did abit of playing around tonight. probably need to merge a couple of schemas to get something working due to how the rego is currently written:
$ opa eval --format pretty --input /tmp/rhcop/19-03-2021-17-27/policy/ocp/bestpractices/common-k8s-labels-notset/test_data/unit/list.yml --data policy/lib --data policy/lib/kubernetes.rego --data policy/lib/openshift.rego --data policy/ocp/bestpractices/common-k8s-labels-notset/src.rego --schema _test/openshift-json-schema/release-4.5-local/deploymentconfig-apps-v1.json data.ocp.bestpractices.common_k8s_labels_notset
2 errors occurred:
policy/lib/konstraint/core.rego:7: rego_type_error: undefined ref: input.review
input.review
^
have: "review"
want (one of): ["apiVersion" "kind" "metadata" "spec" "status"]
policy/lib/konstraint/core.rego:10: rego_type_error: undefined ref: input.review.object
input.review.object
^
have: "review"
want (one of): ["apiVersion" "kind" "metadata" "spec" "status"]
from rego-policies.
even generating a schema that wraps a gatekeeper review + target kind (see attached), still hit issues around how the rego is written to handle multiple types:
policy/lib/konstraint/pods.rego:16: rego_type_error: undefined ref: data.lib.konstraint.core.resource.spec.jobTemplate.spec.template
data.lib.konstraint.core.resource.spec.jobTemplate.spec.template
^
have: "jobTemplate"
want (one of): ["template"]
from rego-policies.
added example showing the above:
git clone --branch schema-playground --depth 1 https://github.com/garethahealy/rego-policies.git
cd rego-policies
_test/testing-schema.sh
from rego-policies.
hey @vazirim ; I've tried with that PR as well but don't get any schema warnings when I'd expect to:
any ideas what I might be doing wrong?
from rego-policies.
CC @sabre1041
the above commit link has comments around how we could use it.
from rego-policies.
@aavarghese ; can the schema validation be used with variables?
could I add the below schema to the above method?
# METADATA
# scope: rule
# schemas:
# - container: schema["container-v1"]
I've obviously tried but get:
rego_parse_error: invalid document reference
from rego-policies.
@garethahealy Today the schema support in OPA only allows the path refs to either be input
or data
.
We have future plans to look into supporting other refs for rule inputs/outputs etc. This is a good example usecase for variables - thanks for sharing! Will let you know if there are updates. cc: @vazirim
from rego-policies.
Related Issues (20)
- Look into enabling 'emit-admission-events' HOT 1
- Policy to deny pod running with high vulnerabilities HOT 2
- Look into adding tests for inventory based via conftest --data
- Enforce a naming convention for resources
- create placeholder for tekton
- tekton: sar-demo HOT 2
- tekton: RBAC light HOT 1
- tekton: conftest task
- tekton: triggers policy: OpenID Connect authentication and authorization HOT 1
- k8s: podsecuritypolicy via OPA HOT 4
- improve gatekeeper tests
- cluster operators degraded HOT 1
- add an KinD action to ci
- doesn't work with List openshift object HOT 6
- ocp 4.8 operator.openshift.io/v1beta1 deprecated HOT 1
- deprek8ion repo is archived HOT 1
- OPA/Rego AND operator usage HOT 1
- Disable prow integration HOT 1
- konstraint create fails HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rego-policies.