Skip to content

Namespaced rules⚓︎

Block resources with the forbidden test label in specific namespaces. The rule serves as an example to demonstrate how to restrict a rule to namespaces.

Use rule⚓︎

In order to use this rule:

  1. Adjust the label mapping to the target value.
  2. Adjust metavariable regular expression for $NS to your target namespaces.
  3. Create configmap via: 
    kubectl create configmap -n semgr8ns forbidden-namespaced-label --from-file=rules/forbidden-namespaced-label.yaml
kubectl label configmap -n semgr8ns forbidden-namespaced-label semgr8s/rule=true

Rule⚓︎

rules/forbidden-namespaced-label.yaml
rules:
- id: forbidden-namespaced-label
  message: Kubernetes resource with label forbidden in designated namespace. Any resource with label "semgr8s-test=forbidden-test-label-e3b0c44298fc1c" is denied for this namespace. This label carries no meaning beyond testing and demonstration purposes.
  languages: [yaml]
  severity: INFO
  patterns:
    - pattern-inside: |
        metadata:
          ...
          namespace: $NS
        ...
    - metavariable-regex:
        metavariable: $NS
        regex: (test-semgr8s|audit-semgr8s)
    # remaining pattern as normal
    - pattern-inside: |
        metadata:
          ...
    - pattern-inside: |
        labels:
          ...
    - pattern: |
        semgr8s-test: forbidden-test-label-e3b0c44298fc1c
  fix: "semgr8s-test: allowed-test-label"