nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
task.mdevals/scenario-23/
Regal: Bug Avoidance — Namespace Policy Validation
Write a Rego policy in the package kubernetes.namespaces that validates Kubernetes namespace objects. The policy should:
- Use
deny contains msg if { ... }for collecting violations - Deny when the namespace name is in
data.restricted_names— check usinginput.metadata.name in data.restricted_names(not!= restricted_names[_]which is a common bug) - Deny when a required annotation
"owner"is missing frominput.metadata.annotations - Use
sprintfwith the correct number of arguments matching the format string verbs
Input
{
"metadata": {
"name": "production",
"annotations": {
"owner": "platform-team"
}
}
}Data
{
"restricted_names": ["default", "kube-system", "kube-public"]
}Expected behaviour
productionwithownerannotation → no violationskube-system→ deny (restricted name)- Missing
ownerannotation → deny with annotation name in message - Both violations → two deny messages
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31