Search code examples
kubernetesopen-policy-agentrego

How to determine if an object is empty with rego language


In kuberntes OPA gatekeeper, I need to determine if there is volumeName defined in PVC object, like below code:

{
    "apiVersion": "v1",
    "kind": "PersistentVolumeClaim",
    "metadata": {
        "annotations": {},
        "name": "pvc-test-mxh",
        "namespace": "default"
    },
    "spec": {
        "accessModes": [
            "ReadWriteOnce"
        ],
        "resources": {
            "requests": {
                "storage": "5Gi"
            }
        },
        "storageClassName": "csi-disk",
        "volumeName": "mxh-test"
    }
}

here, the volumeName is defined and belongs to normal behavior that it's allowed in the gatekeeper policy; while volumeName is missing here it would match to the violation. But how to write this policy, I tried input.review.object.spec.volumeName == "" or count(input.review.object.spec.volumeName) <= 0, seems like it didn't work, anyone could help?


Solution

  • You'd normally use the not keyword for that purpose:

    not input.review.object.spec.volumeName
    

    not will evaluate to true if input.review.object.spec.volumeName is undefined, and correspondingly to undefined if input.review.object.spec.volumeName is set.