How can I validate the existence of two separate keys in Rego for OPA? Currently, I'm using the not operator like so:
deny["Containers must specify readiness and liveness probes"] {
not container.readinessProbe
not container.livenessProbe
}
However, this only denies up containers without both livenessProbe and readinessProbe. How do I specify to deny a container missing either of the two keys?
For this case I think it makes sense to just have a deny rule for each:
deny["Containers must specify readiness probes"] {
not container.readinessProbe
}
deny["Containers must specify liveness probes"] {
not container.livenessProbe
}
With Rego policies the rules are OR'd together, and the rule body statements are AND'd. So if you are trying to express an OR condition typically look to have a rule for each case.