nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
task.mdevals/scenario-11/
Metadata: Runtime Annotation Access
Write a Rego policy for Kubernetes pod admission that reads its own rule metadata at runtime and includes the severity level from annotations in the violation output.
The violation output must be a structured object (not a plain string) containing both the severity from the rule's custom.severity annotation and a message field.
Input
{
"request": {
"kind": {"kind": "Pod"},
"object": {
"metadata": {"name": "my-pod"},
"spec": {
"containers": [
{"name": "app", "securityContext": {"privileged": true}}
]
}
}
}
}Expected behaviour
- Deny privileged containers
- The violation must be a structured object:
{"severity": "HIGH", "message": "..."} - The severity value comes from the rule's own
# METADATAannotation (custom.severity: HIGH), accessed viarego.metadata.rule()at runtime — not hardcoded
Also write a _test.rego file that tests the policy with both a passing case and a failing case.
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31