CtrlK
BlogDocsLog inGet started
Tessl Logo

nicholasjackson/opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.

99

1.19x

Quality

Pending

Does it follow best practices?

Impact

99%

1.19x

Average score across 31 eval scenarios

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

task.mdevals/scenario-26/

Regal: Function Style — Container Security Validation

Write a Rego policy that validates container security settings in Kubernetes Pods. Use helper functions to check individual container properties. Each helper function must take the container object as an explicit argument — do not reference input or data directly inside a function body.

Check the following per container:

  • The container must not run as privileged (securityContext.privileged != true)
  • The container must declare resource limits (resources.limits.cpu and resources.limits.memory)

Input

{
  "request": {
    "kind": {"kind": "Pod"},
    "object": {
      "metadata": {"name": "my-pod"},
      "spec": {
        "containers": [
          {
            "name": "app",
            "image": "myapp:latest",
            "securityContext": {"privileged": true},
            "resources": {"limits": {"cpu": "100m", "memory": "128Mi"}}
          }
        ]
      }
    }
  }
}

Expected behaviour

  • The example input must be denied — app is privileged
  • A container with privileged: false and resource limits must be allowed
  • A container missing resource limits must be denied (separate violation)
  • Include the container name in each denial message

evals

scenario-26

rubric.json

task.md

README.md

rules.md

tile.json