0

Just started to deal with conftest and OPA, I'm trying to validate a sample kubernetes deployment manifest to make sure it contains a specific key in a list (i.e. image exists for all containers)

here's a sample input

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - image: hub.com/img1:tag1
        imagePullPolicy: Always

I thought this policy should check the existence of image for all containers:

deny[reason] {
    input.kind == "Deployment"
    some i
    not input.spec.template.spec.containers[i].image
    reason := "Container.image not found"
}

but conftest throws an error complaining not input.spec.template.spec.containers[i].image expression is unsafe

Any comments/suggestions on how to deal with this case is appreciated.

Will Beason
  • 3,417
  • 2
  • 28
  • 46
Mahyar
  • 1,011
  • 2
  • 17
  • 37

1 Answers1

2

Ensure variables in negated expressions (not ...) are assigned in another non-negated expression in the rule. For example:

deny[reason] {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    not container.image
    reason := "Container.image not found"
}

In this version, the only variable in the negated expression is container. The container variable is assigned on the previous line, so the expression is safe.

OPA complains about not input.spec.template.spec.containers[i].image because it will search for all variable assignments that make the expressions in the rule true. Since the variable i is not assigned anywhere else, there would be an infinite number of assignments to i that satisfy not input.spec.template.spec.containers[i].image... e.g., i = 100, i = -1, i = "foo", etc. Since we want to guarantee that policy execution terminates, OPA rejects the expression.

More information and examples on safety here: https://www.openpolicyagent.org/docs/latest/faq/#safety

tsandall
  • 1,544
  • 8
  • 8