Rego is a Query Language. To make a policy decision in Rego, you write logical tests on the data that comes in as input (such as the API or SSH data from the last section)
Questions tagged [rego]
161 questions
1
vote
1 answer
OPA masking a dynamic array field
I'm trying to apply masking on an input and result field that is part of an array. And the size of the array is dynamic. Based on the documentation, it is instructed to provide absolute array index which is not possible in this use case. Do we have…
Sulbigar Shanawaz
- 159
- 3
- 13
1
vote
1 answer
Check if array contained within another in rego
I have two arrays: x and y
I want to check if x is contained within y.
There is not contains() function in rego.
Next thing I tried is to create the mathematical equivalent to the contains() function:
x ⊆ y ⇔ (x ⋂ y) == x.
So I tried to do the…
Stack Overflow
- 377
- 4
- 16
1
vote
2 answers
Concat 2 string together in rego
How can I concat 2 strings?
Here, I tried to define a function that concats "f" to the end of a provided string:
concat_f(bar) = output{
item := ["f"]
x := concat(bar, item)
output := x
}
But when I try to use it (passing in bar as…
Stack Overflow
- 377
- 4
- 16
1
vote
0 answers
OPA Envoy - Policy with http.send fails under load
Expected Behavior
http.send should be working fine under load
Actual Behavior
After processing 1000 requests in a given minute, it fails with too many open file descriptor error and resumes after that part particular minute
Steps to Reproduce the…
TheHydGuy
- 11
- 2
1
vote
3 answers
Return all keys in data
I'm new to OPA/Rego am having a hard time understanding what exactly is the issue here: https://play.openpolicyagent.org/p/h08NbfmF4j
I'd like to have teams associated with the * category, for which I'd expect the accessible[team] rule to return all…
tavlima
- 189
- 2
- 11
1
vote
1 answer
how to retrieve namespace value from the resoucequota object from data.inventory
In the gatekeeper template, trying to fetch the namespace from the resoucequota object (replicated using the sync.yaml).
Currently try to fetch using :
existingrqs := {e | e :=…
Prageetika
- 21
- 1
1
vote
1 answer
How to forbid Pods in Namespaces without ResourceQuota using Gatekeeper?
I want to forbid the creation of Pods in Namespaces which do not have a ResourceQuota. If possible, I want Gatekeeper to ensure that there is a ResourceQuota which sets limits.cpu and limits.memory before allowing the creation of Pods.
I have…
Prageetika
- 21
- 1
1
vote
1 answer
Unable to read kubernetes property
Im working on a policy that dictates that a kaniko image must always run on a nodePool kaniko-nodepool.
If a kaniko image is deployed anywhere else, it will be a violation. Im using a combination of container image and nodeSelector to enforce the…
jeunii
- 391
- 4
- 13
1
vote
1 answer
How to apply a function to each value of an array and store the results
I am new to Open Policy Agent and the Rego language. I have an array of strings. Each of those strings needs to have some operation performed on them so they may be in the appropriate format for use later. Is there a way to apply a function to each…
sv251
- 11
- 1
1
vote
1 answer
Assert that every string in a set has an associated key in an object
After reading through the Open Policy Agent introduction documentation a few times, I'm having trouble writing a rule which asserts that for every element in a set, the specified object has an associated key.
Here's a simplified example what I'm…
Elliot Pryde
- 90
- 6
1
vote
1 answer
Open Policy Agent (OPA) Rego - Accessing Input Object Nested Fields At Runtime
I am trying to create a somewhat generic rego policy that can evaluate a nested object field that is given from an input.
For example:
field_from_input := "spec.securityContext.runAsRoot"
violation[{"msg": msg}] {
fields :=…
Ido Gold
- 13
- 3
1
vote
1 answer
Caching of constants in OPA?
Somewhat contrived example perhaps, but for a top level assignment like this:
cache_duration_seconds := 60 * 60 * 24 * 30
Does OPA recognize the value as constant and persist it between requests, or is it going to be calculated per invocation?
Devoops
- 2,018
- 8
- 21
1
vote
2 answers
Using walk to recursively aggregate resources in a terraform state with rego
I'm using Open Policy Agent to write policy against the JSON output of my terraform state.
Here is the structure of the state file:
{
"format_version": "0.1",
"terraform_version": "0.12.28",
"values": {
"root_module": {
"resources":…
Scrofungulus
- 13
- 6
1
vote
1 answer
Is it possible to use the output of an external program in an Open policy agent policy
I would like to have a policy where the decision has to be made by querying a field against a system of record which doesnot have a http api. Is there a way for a policy to call an external program and use its return code to decide whether to…
suppandi g
- 504
- 1
- 5
- 18
1
vote
1 answer
Array.map for Rego or how to combine RBAC with api routes
I would like to define permissions in JSON data such as:
"permissions": [
{
"resource": ["users", ":uid", "salary"],
"action": "GET"
}
]
Now when evaluating, I want to replace :uid with input.subject . How would I go about this? Is there…
restfulhead
- 252
- 2
- 11