Statements
Match
The match statement provides a way to filter resources which will be validated by the policy.
It can be a condition or a logical condition.
Examples
matchstatement with single condition:
match:
field: kind
operator: equal
value: Deployment
matchstatement with logical conditions:
match:
and:
- field: kind
operator: equal
value: Deployment
- field: metadata.namespace
operator: equal
value: default
Exclude
The exclude statement is used to exclude resources from being validated by the policy.
It can be a condition or a logical conditions.
Examples
excludestatement with single condition:
exclude:
field: metadata.namespace
operator: equal
value: kube-system
excludestatement with logical conditions:
exclude:
or:
- field: kind
operator: equal
value: Secret
- field: metadata.namespace
operator: equal
value: kube-system
Globals
New in
v0.2.0
Globals allows provides a way to define global variables once and use it anywhere inside the policy.
Examples
globals:
resourceId: ${ .Input.metadata.name }/${ .Input.metadata.namespace }
match:
expr: ${ .Globals.resourceId }
operator: equal
value: my-app/my-namespace
Rules
A yapl policy can contain one or more rules. Each rule consist of a condition and a result
rules:
- condition:
field: metadata.name
equal: hasPrefix
value: app
result:
msg: resource name must starts with 'app'
Conditional Rules
to add a condition when a rule is evaluated you can use when field to define a condition when a rule can be evaluated
rules:
- when:
< condition or logical condition >
condition:
< condition >
result:
< result >