Task: Kubernetes Admission Control Policy

Create a Kubernetes admission control policy in Rego that validates Pod specifications and produces descriptive denial messages.

Requirements

Policy file

Create admission.rego with package kubernetes.admission and import rego.v1.

The policy evaluates a Kubernetes AdmissionReview input. Containers are accessible at input.request.object.spec.containers.

Define a multi-value deny rule (a set of strings) — do not use a boolean allow/deny pattern. Each violation should produce a distinct, human-readable message string.

Implement the following checks:

1. Approved image registry

All container images must be pulled from registry.company.com. If a container's image does not start with registry.company.com/, produce a message of the form:

container <name> uses image <image> from an unapproved registry

2. Non-root execution

Every container's securityContext.runAsNonRoot must be true. If it is absent or false, produce a message of the form:

container <name> must set securityContext.runAsNonRoot = true

3. Resource limits

Every container must define both resources.limits.cpu and resources.limits.memory. If either is missing, produce a message of the form:

container <name> must define resource limits for cpu and memory

Test file

Create admission_test.rego with package kubernetes.admission_test and import rego.v1.

Use the with input as { ... } keyword to inject mock Kubernetes objects. Include tests for:

• A fully compliant pod (all containers pass all checks) — deny must be an empty set
• A pod with a container using an image from an unapproved registry — deny must contain the expected message
• A pod with a container missing runAsNonRoot: true — deny must contain the expected message
• A pod with a container missing resource limits — deny must contain the expected message

Run the tests

Run opa test . -v and confirm all tests pass.