In kuberntes OPA gatekeeper, I need to determine if there is volumeName
defined in PVC object, like below code:
{
"apiVersion": "v1",
"kind": "PersistentVolumeClaim",
"metadata": {
"annotations": {},
"name": "pvc-test-mxh",
"namespace": "default"
},
"spec": {
"accessModes": [
"ReadWriteOnce"
],
"resources": {
"requests": {
"storage": "5Gi"
}
},
"storageClassName": "csi-disk",
"volumeName": "mxh-test"
}
}
here, the volumeName
is defined and belongs to normal behavior that it's allowed in the gatekeeper policy; while volumeName
is missing here it would match to the violation. But how to write this policy, I tried input.review.object.spec.volumeName == ""
or count(input.review.object.spec.volumeName) <= 0
, seems like it didn't work, anyone could help?
You'd normally use the not
keyword for that purpose:
not input.review.object.spec.volumeName
not
will evaluate to true if input.review.object.spec.volumeName
is undefined, and correspondingly to undefined if input.review.object.spec.volumeName
is set.