Skip to content

Scoping to multiple resource types⚓︎

Block workloads with the forbidden test label. The rule serves as an example to demonstrate how to restrict a rule to a set of resource types.

Use rule⚓︎

In order to use this rule:

  1. Adjust the label mapping to the target value.
  2. Adjust metavariable regular expression for $KIND to your target resource types.
  3. Create configmap via: 
    kubectl create configmap -n semgr8ns forbidden-workload-label --from-file=rules/forbidden-workload-label.yaml
kubectl label configmap -n semgr8ns forbidden-workload-label semgr8s/rule=true

Rule⚓︎

rules/forbidden-workload-label.yaml
rules:
- id: forbidden-workload-label
  message: Kubernetes workload with forbidden label. Any workload resource with label "semgr8s-test=forbidden-test-label-e3b0c44298fc1c" is denied. This label carries no meaning beyond testing and demonstration purposes.
  languages: [yaml]
  severity: INFO
  patterns:
    - pattern-inside: |
        ...
        kind: $KIND
        ...
    - metavariable-regex:
        metavariable: $KIND
        regex: (Pod|Deployment|ReplicaSet|DaemonSet|StatefulSet)
    # remaining pattern as normal
    - pattern-inside: |
        metadata:
          ...
    - pattern-inside: |
        labels:
          ...
    - pattern: |
        semgr8s-test: forbidden-test-label-e3b0c44298fc1c
  fix: "semgr8s-test: allowed-test-label"