Scoping to pods⚓︎

Block pods with the forbidden test label. The rule serves as an example to demonstrate how to restrict a rule to a specific resource type.

Use rule⚓︎

In order to use this rule:

Adjust the label mapping to the target value.
Adjust kind: Pod mapping to your target resource type.

Create configmap via:

kubectl create configmap -n semgr8ns forbidden-pod-label --from-file=rules/forbidden-pod-label.yaml
kubectl label configmap -n semgr8ns forbidden-pod-label semgr8s/rule=true

Rule⚓︎

rules/forbidden-pod-label.yaml

rules:
- id: forbidden-pod-label
  message: Kubernetes pod with forbidden label. Any pod with label "semgr8s-test=forbidden-test-label-e3b0c44298fc1c" is denied. This label carries no meaning beyond testing and demonstration purposes.
  languages: [yaml]
  severity: INFO
  patterns:
    - pattern-inside: |
        ...
        kind: Pod
        ...
    # remaining pattern as normal
    - pattern-inside: |
        metadata:
          ...
    - pattern-inside: |
        labels:
          ...
    - pattern: |
        semgr8s-test: forbidden-test-label-e3b0c44298fc1c
  fix: "semgr8s-test: allowed-test-label"