nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
regal-boolean-structure.mddocs/
Regal: Boolean Assignments and Rule Structure
This document covers Regal rules related to boolean assignments and unconditional rule patterns.
Relevant Regal rules:
boolean-assignment— userule := true/rule := false(or justrule if { ... }) rather than assigning boolean literals inside rule bodiesunconditional-assignment— avoid rules that always assign the same value unconditionally; express constants asrule := valueprefer-set-or-object-rule— prefer incremental rules (rule contains item) over comprehensions at the top level
Pattern: Boolean Rules
Use Rego's natural boolean rule syntax rather than assigning true/false literals.
# CORRECT: boolean rule (no assignment needed for true)
is_admin if input.role == "admin"
# CORRECT: default false, conditional true
default is_valid := false
is_valid if {
input.name != ""
count(input.name) >= 3
}# WRONG: boolean assignment inside body (boolean-assignment violation)
is_admin := true if input.role == "admin"Pattern: Unconditional Assignments
Express compile-time constants as simple assignments, not conditional rules.
# CORRECT: simple constant
max_retries := 3
allowed_methods := {"GET", "POST", "PUT", "DELETE"}# WRONG: unconditional body (unconditional-assignment violation)
max_retries := 3 if {
true
}Pattern: Incremental Rules vs Comprehensions
Prefer incremental set or object rules over comprehensions assigned to a top-level rule.
# CORRECT: incremental rule
violations contains msg if {
some container in input.spec.containers
not container.resources.limits
msg := sprintf("container %s has no resource limits", [container.name])
}# WRONG: comprehension at top level (prefer-set-or-object-rule violation)
violations := {msg |
some container in input.spec.containers
not container.resources.limits
msg := sprintf("container %s has no resource limits", [container.name])
}Complete Example: Kubernetes Security Policy
package kubernetes.security
import rego.v1
# Boolean rule — no boolean assignment needed
default allow := false
allow if count(violations) == 0
# Incremental violations set
violations contains msg if {
some container in input.spec.template.spec.containers
container.securityContext.privileged == true
msg := sprintf("container '%s' runs as privileged", [container.name])
}
violations contains msg if {
some container in input.spec.template.spec.containers
not container.resources.limits
msg := sprintf("container '%s' has no resource limits", [container.name])
}Testing Structure Rules
package kubernetes.security_test
import rego.v1
import data.kubernetes.security
test_allow_secure_pod if {
security.allow with input as {
"spec": {"template": {"spec": {"containers": [
{"name": "app", "securityContext": {"privileged": false},
"resources": {"limits": {"cpu": "500m"}}}
]}}}
}
}
test_deny_privileged if {
"container 'root' runs as privileged" in security.violations with input as {
"spec": {"template": {"spec": {"containers": [
{"name": "root", "securityContext": {"privileged": true},
"resources": {"limits": {"cpu": "500m"}}}
]}}}
}
}docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31