Update rego

mrueg · Feb 12, 2025 · 3fb0f44 · 3fb0f44
1 parent 1089f32
commit 3fb0f44
Show file tree

Hide file tree

Showing 47 changed files with 192 additions and 123 deletions.
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -106,7 +106,7 @@ jobs:
 
       - name: setup regal
         uses: styrainc/[email protected]
-        with:
+        with
           version: 0.31.0
 
       - name: regal lint

diff --git a/examples/any-warn-deprecated-api-versions/src.rego b/examples/any-warn-deprecated-api-versions/src.rego
@@ -15,12 +15,13 @@
 package any_warn_deprecated_api_versions
 
 import data.lib.core
+import rego.v1
 
 policyID := "P0001"
 
-warn[msg] {
-	resources := ["DaemonSet", "Deployment"]
+warn[msg] if {
 	core.apiVersion == "extensions/v1beta1"
+	resources := ["DaemonSet", "Deployment"]
 	core.kind == resources[_]
 
 	msg := core.format_with_id(

diff --git a/examples/any-warn-deprecated-api-versions/src_test.rego b/examples/any-warn-deprecated-api-versions/src_test.rego
@@ -1,6 +1,8 @@
 package any_warn_deprecated_api_versions
 
-test_matching {
+import rego.v1
+
+test_matching if {
 	warns := warn with input as {
 		"kind": "Deployment",
 		"metadata": {"name": "test"},
@@ -9,7 +11,7 @@ test_matching {
 	count(warns) == 1
 }
 
-test_different_kind {
+test_different_kind if {
 	warns := warn with input as {
 		"kind": "test",
 		"metadata": {"name": "test"},
@@ -18,7 +20,7 @@ test_different_kind {
 	count(warns) == 0
 }
 
-test_different_apiversion {
+test_different_apiversion if {
 	warns := warn with input as {
 		"kind": "Deployment",
 		"metadata": {"name": "test"},

diff --git a/examples/container-deny-added-caps/src.rego b/examples/container-deny-added-caps/src.rego
@@ -24,10 +24,11 @@ package container_deny_added_caps
 import data.lib.core
 import data.lib.pods
 import data.lib.security
+import rego.v1
 
 policyID := "P1001"
 
-violation[msg] {
+violation[msg] if {
 	some container
 	pods.containers[container]
 	not container_dropped_all_capabilities(container)
@@ -38,6 +39,6 @@ violation[msg] {
 	)
 }
 
-container_dropped_all_capabilities(container) {
+container_dropped_all_capabilities(container) if {
 	security.dropped_capability(container, "all")
 }
diff --git a/examples/container-deny-added-caps/src_test.rego b/examples/container-deny-added-caps/src_test.rego
@@ -1,9 +1,11 @@
 package container_deny_added_caps
 
-test_dropped_all {
+import rego.v1
+
+test_dropped_all if {
 	container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["all"]}}})
 }
 
-test_dropped_none {
+test_dropped_none if {
 	not container_dropped_all_capabilities({"securityContext": {"capabilities": {"drop": ["none"]}}})
 }
diff --git a/examples/container-deny-escalation/src.rego b/examples/container-deny-escalation/src.rego
@@ -20,25 +20,26 @@ package container_deny_escalation
 
 import data.lib.core
 import data.lib.pods
+import rego.v1
 
 policyID := "P1002"
 
-violation[msg] {
+violation[msg] if {
 	some container
 	pods.containers[container]
 	container_allows_escalation(container)
 
 	msg := core.format_with_id(sprintf("%s/%s: Allows privilege escalation", [core.kind, core.name]), policyID)
 }
 
-container_allows_escalation(c) {
+container_allows_escalation(c) if {
 	c.securityContext.allowPrivilegeEscalation == true
 }
 
-container_allows_escalation(c) {
+container_allows_escalation(c) if {
 	core.missing_field(c, "securityContext")
 }
 
-container_allows_escalation(c) {
+container_allows_escalation(c) if {
 	core.missing_field(c.securityContext, "allowPrivilegeEscalation")
 }
diff --git a/examples/container-deny-escalation/src_test.rego b/examples/container-deny-escalation/src_test.rego
@@ -1,9 +1,11 @@
 package container_deny_escalation
 
-test_allowescalation_false {
+import rego.v1
+
+test_allowescalation_false if {
 	not container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": false}})
 }
 
-test_allowescalation_true {
+test_allowescalation_true if {
 	container_allows_escalation({"securityContext": {"allowPrivilegeEscalation": true}})
 }
diff --git a/examples/container-deny-latest-tag/src.rego b/examples/container-deny-latest-tag/src.rego
@@ -35,10 +35,11 @@ package container_deny_latest_tag
 
 import data.lib.core
 import data.lib.pods
+import rego.v1
 
 policyID := "P2001"
 
-violation[msg] {
+violation[msg] if {
 	some container
 	pods.containers[container]
 	has_latest_tag(container)
@@ -49,10 +50,10 @@ violation[msg] {
 	)
 }
 
-has_latest_tag(c) {
+has_latest_tag(c) if {
 	endswith(c.image, ":latest")
 }
 
-has_latest_tag(c) {
+has_latest_tag(c) if {
 	contains(c.image, ":") == false
 }
diff --git a/examples/container-deny-latest-tag/src_test.rego b/examples/container-deny-latest-tag/src_test.rego
@@ -1,13 +1,15 @@
 package container_deny_latest_tag
 
-test_input_as_image_without_latest_tag {
+import rego.v1
+
+test_input_as_image_without_latest_tag if {
 	not has_latest_tag({"name": "test", "image": "image:1.0.0"})
 }
 
-test_input_as_image_with_latest_tag {
+test_input_as_image_with_latest_tag if {
 	has_latest_tag({"name": "test", "image": "image:latest"})
 }
 
-test_input_as_image_with_no_tag {
+test_input_as_image_with_no_tag if {
 	has_latest_tag({"name": "test", "image": "image"})
 }
diff --git a/examples/container-deny-privileged-if-tenant/src.rego b/examples/container-deny-privileged-if-tenant/src.rego
@@ -27,10 +27,11 @@ package container_deny_privileged_if_tenant
 import data.lib.core
 import data.lib.pods
 import data.lib.security
+import rego.v1
 
 policyID := "P2006"
 
-violation[msg] {
+violation[msg] if {
 	some container
 	pods.containers[container]
 	container_is_privileged(container)
@@ -41,10 +42,10 @@ violation[msg] {
 	)
 }
 
-container_is_privileged(container) {
+container_is_privileged(container) if {
 	container.securityContext.privileged
 }
 
-container_is_privileged(container) {
+container_is_privileged(container) if {
 	security.added_capability(container, "CAP_SYS_ADMIN")
 }
diff --git a/examples/container-deny-privileged-if-tenant/src_test.rego b/examples/container-deny-privileged-if-tenant/src_test.rego
@@ -1,13 +1,15 @@
 package container_deny_privileged
 
-test_privileged_true {
+import rego.v1
+
+test_privileged_true if {
 	container_is_privileged({"securityContext": {"privileged": true}})
 }
 
-test_privileged_false {
+test_privileged_false if {
 	not container_is_privileged({"securityContext": {"privileged": false}})
 }
 
-test_added_capability {
+test_added_capability if {
 	container_is_privileged({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}})
 }
diff --git a/examples/container-deny-privileged/src.rego b/examples/container-deny-privileged/src.rego
@@ -22,10 +22,11 @@ package container_deny_privileged
 import data.lib.core
 import data.lib.pods
 import data.lib.security
+import rego.v1
 
 policyID := "P1003"
 
-violation[msg] {
+violation[msg] if {
 	some container
 	pods.containers[container]
 	container_is_privileged(container)
@@ -36,10 +37,10 @@ violation[msg] {
 	)
 }
 
-container_is_privileged(container) {
+container_is_privileged(container) if {
 	container.securityContext.privileged
 }
 
-container_is_privileged(container) {
+container_is_privileged(container) if {
 	security.added_capability(container, "CAP_SYS_ADMIN")
 }
diff --git a/examples/container-deny-privileged/src_test.rego b/examples/container-deny-privileged/src_test.rego
@@ -1,13 +1,15 @@
 package container_deny_privileged
 
-test_privileged_true {
+import rego.v1
+
+test_privileged_true if {
 	container_is_privileged({"securityContext": {"privileged": true}})
 }
 
-test_privileged_false {
+test_privileged_false if {
 	not container_is_privileged({"securityContext": {"privileged": false}})
 }
 
-test_added_capability {
+test_added_capability if {
 	container_is_privileged({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}})
 }
diff --git a/examples/container-deny-without-resource-constraints/src.rego b/examples/container-deny-without-resource-constraints/src.rego
@@ -20,10 +20,11 @@ package container_deny_without_resource_constraints
 
 import data.lib.core
 import data.lib.pods
+import rego.v1
 
 policyID := "P2002"
 
-violation[msg] {
+violation[msg] if {
 	some container
 	pods.containers[container]
 	not container_resources_provided(container)
@@ -34,7 +35,7 @@ violation[msg] {
 	)
 }
 
-container_resources_provided(container) {
+container_resources_provided(container) if {
 	container.resources.requests.cpu
 	container.resources.requests.memory
 	container.resources.limits.cpu

diff --git a/examples/container-deny-without-resource-constraints/src_test.rego b/examples/container-deny-without-resource-constraints/src_test.rego
@@ -1,24 +1,26 @@
 package container_deny_without_resource_constraints
 
-test_input_as_container_missing_resources {
+import rego.v1
+
+test_input_as_container_missing_resources if {
 	container := {}
 
 	not container_resources_provided(container)
 }
 
-test_input_as_container_with_missing_memory_requests {
+test_input_as_container_with_missing_memory_requests if {
 	container := {"resources": {"requests": {"cpu": "1"}}}
 
 	not container_resources_provided(container)
 }
 
-test_input_as_container_with_missing_limits_constraint {
+test_input_as_container_with_missing_limits_constraint if {
 	container := {"resources": {"requests": {"cpu": "1", "memory": "1"}}}
 
 	not container_resources_provided(container)
 }
 
-test_input_as_container_with_all_constraints {
+test_input_as_container_with_all_constraints if {
 	container := {"resources": {"requests": {"cpu": "1", "memory": "1"}, "limits": {"cpu": "1", "memory": "1"}}}
 
 	container_resources_provided(container)

diff --git a/examples/container-warn-no-ro-fs/src.rego b/examples/container-warn-no-ro-fs/src.rego
@@ -20,10 +20,11 @@ package container_warn_no_ro_fs
 
 import data.lib.core
 import data.lib.pods
+import rego.v1
 
 policyID := "P2003"
 
-warn[msg] {
+warn[msg] if {
 	some container
 	pods.containers[container]
 	no_read_only_filesystem(container)
@@ -34,11 +35,11 @@ warn[msg] {
 	)
 }
 
-no_read_only_filesystem(container) {
+no_read_only_filesystem(container) if {
 	core.has_field(container.securityContext, "readOnlyRootFilesystem")
 	not container.securityContext.readOnlyRootFilesystem
 }
 
-no_read_only_filesystem(container) {
+no_read_only_filesystem(container) if {
 	core.missing_field(container.securityContext, "readOnlyRootFilesystem")
 }
diff --git a/examples/container-warn-no-ro-fs/src_test.rego b/examples/container-warn-no-ro-fs/src_test.rego
@@ -1,9 +1,11 @@
 package container_warn_no_ro_fs
 
-test_rofs_true {
+import rego.v1
+
+test_rofs_true if {
 	not no_read_only_filesystem({"securityContext": {"readOnlyRootFilesystem": true}})
 }
 
-test_rofs_false {
+test_rofs_false if {
 	no_read_only_filesystem({"securityContext": {"readOnlyRootFilesystem": false}})
 }
diff --git a/examples/pod-deny-host-alias/src.rego b/examples/pod-deny-host-alias/src.rego
@@ -22,15 +22,16 @@ import data.lib.core.format_with_id
 import data.lib.core.kind
 import data.lib.core.name
 import data.lib.pods
+import rego.v1
 
 policyID := "P1004"
 
-violation[msg] {
+violation[msg] if {
 	pod_host_alias
 
 	msg := format_with_id(sprintf("%s/%s: Pod has hostAliases defined", [kind, name]), policyID)
 }
 
-pod_host_alias {
+pod_host_alias if {
 	pods.pod.spec.hostAliases
 }
diff --git a/examples/pod-deny-host-alias/src_test.rego b/examples/pod-deny-host-alias/src_test.rego
@@ -1,10 +1,12 @@
 package pod_deny_host_alias
 
-test_input_with_alias_missing {
+import rego.v1
+
+test_input_with_alias_missing if {
 	not pod_host_alias with input as {"kind": "Pod"}
 }
 
-test_input_with_alias {
+test_input_with_alias if {
 	pod_host_alias with input as {
 		"kind": "Pod",
 		"spec": {"hostAliases": [{"ip": "127.0.0.1", "hostnames": ["foo.local"]}]},