How to test that one object is a subset of another object in rego

Question

I'd like to write a Rego rule that checks Kubernetes deployment selectors against the labels declared in the template. The rule should pass if every key/value present in spec.selector.matchLabels is present in spec.template.metadata.labels.

If I were to write this in Javascript it would look something like this:

for(let key of input.spec.selector.matchLabels) {
  assert(input.spec.selector.matchLabels[key] === input.spec.template.metadata.labels[key], `${key} doesn't match`)
}

I'm not sure how to write the equivalent in Rego. I've come up with a way to check that keys are present but I don't know how to check the values. Here's what I have so far:

selector_match_labels {
    # keys in matchLabels are present in the template labels
    matchLabels := { label | input.spec.selector.matchLabels[label] }
    labels := { label | input.spec.template.metadata.labels[label] }
    count(matchLabels - labels) == 0
    # How to check the values of each key matches?
}

Answer 1

You're almost there. Just create a set of key-value pairs instead of a set of keys.

matchLabels := { [label, value] | some label; value := input.spec.selector.matchLabels[label] }
labels := { [label, value] | some label; value := input.spec.template.metadata.labels[label] }
count(matchLabels - labels) == 0

Answer 2

Here's another solution that finds any non-matching value.

deny[msg] {
    some label
    val := input.spec.selector.matchLabels[label]
    val != input.spec.template.metadata.labels[label]
    msg = sprintf("template label %s must match selector", [ label ])
}

This solution uses some to find any key that doesn't match. That's enough to create a deny rule. This is opposite of "allow if all key/values match" which works well enough for a deny rule.