Just started to deal with conftest and OPA, I'm trying to validate a sample kubernetes deployment manifest to make sure it contains a specific key in a list (i.e. image exists for all containers)
here's a sample input
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- image: hub.com/img1:tag1
imagePullPolicy: Always
I thought this policy should check the existence of image for all containers:
deny[reason] {
input.kind == "Deployment"
some i
not input.spec.template.spec.containers[i].image
reason := "Container.image not found"
}
but conftest throws an error complaining not input.spec.template.spec.containers[i].image expression is unsafe
Any comments/suggestions on how to deal with this case is appreciated.
Ensure variables in negated expressions (not ...) are assigned in another non-negated expression in the rule. For example:
deny[reason] {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]
not container.image
reason := "Container.image not found"
}
In this version, the only variable in the negated expression is container. The container variable is assigned on the previous line, so the expression is safe.
OPA complains about not input.spec.template.spec.containers[i].image because it will search for all variable assignments that make the expressions in the rule true. Since the variable i is not assigned anywhere else, there would be an infinite number of assignments to i that satisfy not input.spec.template.spec.containers[i].image... e.g., i = 100, i = -1, i = "foo", etc. Since we want to guarantee that policy execution terminates, OPA rejects the expression.
More information and examples on safety here: https://www.openpolicyagent.org/docs/latest/faq/#safety