Rego policy for Kubernets label with /

Question

I'm trying to write some Rego policies to enforce some company labels on our Kubernetes objects, and I'm struggling to get the right syntax for labels that have an additional slash (/) or periods (.) in them.

An example label would be:

metadata:
  labels:
    mycompany.com/teamName: foo-team

A very simple attempt I've tried is

teams := ["foo-team", "bar-team"]

deny_team_label contains msg if {
  not `input.metadata.labels.mycompany.com/team` in teams
  msg := "Must have a valid mycompany.com/team label"
}

But this fails to trigger.

If the label is

metadata:
  labels:
    teamName: foo-team

Then this policy works as expected:

teams := ["foo-team", "bar-team"]

deny_team_label contains msg if {
  not input.metadata.labels.team in teams
  msg := "Must have a valid team label"
}

score 1 · Accepted Answer · answered Nov 01 '22 at 13:43

You can "escape" the part of the path containing characters with a meaning in Rego (such as the dot), by using a string enclosed in brackets:

teams := ["foo-team", "bar-team"]

deny_team_label contains msg if {
    not input.metadata.labels["mycompany.com/team"] in teams
    msg := "Must have a valid mycompany.com/team label"
}

See example from the OPA docs here.

Rego policy for Kubernets label with /

1 Answers1