search

open-policy-agent / conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language
https://conftest.dev
Other
2.85k stars 303 forks source link

Invalid parsing of ResourceQuota yaml file #928

Closed mkucharsky closed 7 months ago

mkucharsky commented 7 months ago

ResourceQuota object definition involves limits keys with dots and there is issue to get the value of the limits:

policy.rego

package main

deny_incorrect_memory_unit[msg] {
  input.kind == "ResourceQuota"
  memoryLimit := input.spec.hard.limits.memory

  not regex.match("^[0-9]+M$", memoryLimit)
  msg := sprintf("%s: Incorrect value %s. Memory Limit in ResourceQuota must be defined in Megabytes (M) unit", [input.metadata.namespace, memoryLimit])
}

resource-quota.yaml

apiVersion: v1
kind: ResourceQuota
metadata:
  name: app
  namespace: backend
spec:
  hard:
    pods: 1
    limits.cpu: 3
    limits.memory: "1G"

In above example test finishes with success, despite of wrong unit in limits.memory After replacing yaml file to the below structure (which are not supported by k8s) test finish with expected result - failure:

spec:
  hard:
    pods: 1
    limits:
        cpu: 3
        memory: "1G"

Tested on version 0.32.0 and 0.50.0

mkucharsky commented 7 months ago

I found solution. I need use input.spec.hard["limits.memory"]