rancher-charts/charts/rancher-gatekeeper/3.3.000/templates/requiredlabels.yaml

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          properties:
            message:
              type: string
            labels:
              type: array
              items:
                type: object
                properties:
                  key:
                    type: string
                  allowedRegex:
                    type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels

        get_message(parameters, _default) = msg {
          not parameters.message
          msg := _default
        }

        get_message(parameters, _default) = msg {
          msg := parameters.message
        }

        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_].key}
          missing := required - provided
          count(missing) > 0
          def_msg := sprintf("you must provide labels: %v", [missing])
          msg := get_message(input.parameters, def_msg)
        }

        violation[{"msg": msg}] {
          value := input.review.object.metadata.labels[key]
          expected := input.parameters.labels[_]
          expected.key == key
          # do not match if allowedRegex is not defined, or is an empty string
          expected.allowedRegex != ""
          not re_match(expected.allowedRegex, value)
          def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
          msg := get_message(input.parameters, def_msg)
        }
add charts 2021-08-30 16:48:23 +00:00			`apiVersion: templates.gatekeeper.sh/v1beta1`
			`kind: ConstraintTemplate`
			`metadata:`
			`name: k8srequiredlabels`
			`spec:`
			`crd:`
			`spec:`
			`names:`
			`kind: K8sRequiredLabels`
			`validation:`
			# Schema for the `parameters` field
			`openAPIV3Schema:`
			`properties:`
			`message:`
			`type: string`
			`labels:`
			`type: array`
			`items:`
			`type: object`
			`properties:`
			`key:`
			`type: string`
			`allowedRegex:`
			`type: string`
			`targets:`
			`- target: admission.k8s.gatekeeper.sh`
			`rego: \|`
			`package k8srequiredlabels`

			`get_message(parameters, _default) = msg {`
			`not parameters.message`
			`msg := _default`
			`}`

			`get_message(parameters, _default) = msg {`
			`msg := parameters.message`
			`}`

			`violation[{"msg": msg, "details": {"missing_labels": missing}}] {`
			`provided := {label \| input.review.object.metadata.labels[label]}`
			`required := {label \| label := input.parameters.labels[_].key}`
			`missing := required - provided`
			`count(missing) > 0`
			`def_msg := sprintf("you must provide labels: %v", [missing])`
			`msg := get_message(input.parameters, def_msg)`
			`}`

			`violation[{"msg": msg}] {`
			`value := input.review.object.metadata.labels[key]`
			`expected := input.parameters.labels[_]`
			`expected.key == key`
			`# do not match if allowedRegex is not defined, or is an empty string`
			`expected.allowedRegex != ""`
			`not re_match(expected.allowedRegex, value)`
			`def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])`
			`msg := get_message(input.parameters, def_msg)`
			`}`