We are going to create a validation policy that validates the labels of generic Kubernetes objects.
The policy will reject all the resources that use one or more labels on the deny list. The policy will also validate certain labels using a regular expression provided by the user.
To summarize, the policy settings will look like that:
# List of labels that cannot be used denied_labels: - foo - bar # Labels that are validated with user-defined regular expressions constrained_labels: priority: "" cost-center: "^cc-\d+"
The policy would reject the creation of this Pod:
apiVersion: v1 kind: Pod metadata: name: nginx labels: foo: hello world spec: containers: - name: nginx image: nginx:latest
The policy would also reject the creation of this Pod:
apiVersion: v1 kind: Pod metadata: name: nginx labels: cost-center: cc-marketing spec: containers: - name: nginx image: nginx:latest
Policy's settings can also be used to force certain labels to be specified, regardless of their contents:
# Policy's settings constrained_labels: mandatory-label: ".*" # <- this label must be present, we don't care about its value
The creation of a new policy project can be done by using this GitHub template repository: kubewarden/go-policy-template. Just press the "Use this template" green button near the top of the page and follow GitHub's wizard.
Clone the repository locally and then ensure the
module directive inside
go.mod file looks like that:
module <path to your repository>