我正在使用 OPA rego 代码检查部署 kubernetes 中是否提供了 key resources.limits。下面是代码,我正在尝试获取 resources.limits 键,它总是返回 TRUE。不管提供与否的资源。
package resourcelimits
violation[{"msg": msg}] {
some container; input.request.object.spec.template.spec.containers[container]
not container.resources.limits.memory
msg := "Resources for the pod needs to be provided"
你可以尝试这样的事情:
import future.keywords.in
violation[{"msg": msg}] {
input.request.kind.kind == "Deployment"
some container in input.request.object.spec.template.spec.containers
not container.resources.limits.memory
msg := sprintf("Container '%v/%v' does not have memory limits", [input.request.object.metadata.name, container.name])
}