CtrlK
BlogDocsLog inGet started
Tessl Logo

nicholasjackson/opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.

99

1.19x

Quality

Pending

Does it follow best practices?

Impact

99%

1.19x

Average score across 31 eval scenarios

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

regal-iteration-style.mddocs/

Regal: Iteration Style

Rule: prefer-some-in-iteration

Always use some x in collection for iteration — not the old bracket notation x := collection[_]. Regal prefer-some-in-iteration.

# Wrong — old bracket notation
container := input.request.object.spec.containers[_]

# Correct — some x in
some container in input.request.object.spec.containers

When you need both index and value:

some i, container in input.request.object.spec.containers

Rule: mixed-iteration

Do not mix iteration styles within the same rule. Use some x in consistently throughout. Regal mixed-iteration.

Rule: in-wildcard-key

When the key is unused, omit it — some v in obj not some _, v in obj. Regal in-wildcard-key.

Full Example

# METADATA
# title: Container Image Registry Validation
# description: Denies pods with containers using images from unapproved registries
# authors:
# - Security Team <security@example.com>
# custom:
#   category: kubernetes-admission
package kubernetes.admission

import rego.v1

# METADATA
# title: Deny unapproved image registries
# description: Every container image must come from registry.example.com
# entrypoint: true
# custom:
#   severity: HIGH
deny contains msg if {
    input.request.kind.kind == "Pod"
    some container in input.request.object.spec.containers
    not startswith(container.image, "registry.example.com/")
    msg := sprintf("container '%v' uses image from unapproved registry: %v", [container.name, container.image])
}

Testing

# admission_test.rego
package kubernetes.admission_test

import rego.v1
import data.kubernetes.admission

test_deny_unapproved_registry if {
    result := admission.deny with input as {
        "request": {
            "kind": {"kind": "Pod"},
            "object": {
                "metadata": {"name": "my-pod"},
                "spec": {"containers": [
                    {"name": "sidecar", "image": "docker.io/nginx:latest"}
                ]}
            }
        }
    }
    count(result) == 1
}

test_allow_approved_registry if {
    result := admission.deny with input as {
        "request": {
            "kind": {"kind": "Pod"},
            "object": {
                "metadata": {"name": "my-pod"},
                "spec": {"containers": [
                    {"name": "app", "image": "registry.example.com/myapp:v1"}
                ]}
            }
        }
    }
    count(result) == 0
}

test_deny_any_unapproved_container if {
    result := admission.deny with input as {
        "request": {
            "kind": {"kind": "Pod"},
            "object": {
                "metadata": {"name": "my-pod"},
                "spec": {"containers": [
                    {"name": "app", "image": "registry.example.com/myapp:v1"},
                    {"name": "sidecar", "image": "docker.io/nginx:latest"}
                ]}
            }
        }
    }
    count(result) == 1
}

docs

access-control-models.md

http-api-authorization.md

http-api-body-validation.md

http-api-rate-limiting.md

index.md

infrastructure-as-code.md

kubernetes-admission-control.md

metadata-annotations.md

regal-annotations.md

regal-boolean-structure.md

regal-bugs.md

regal-comprehensions.md

regal-defaults.md

regal-function-style.md

regal-imports.md

regal-iteration-style.md

regal-membership-operators.md

regal-naming-conventions.md

regal-testing-style.md

README.md

rules.md

tile.json