docs: adding opa v1 docs and tests (#3908)

JaydipGabani · web-flow · commit 4f88e8e465b3 · 2025-04-11T16:56:12.000-07:00
Signed-off-by: Jaydip Gabani &lt;gabanijaydip@gmail.com&gt;
diff --git a/test/bats/test.bats b/test/bats/test.bats
@@ -70,7 +70,6 @@ teardown_file() {
   else
     wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml"
 
-    # check status resource on expansion template
     wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get constrainttemplates.templates.gatekeeper.sh k8srequiredlabelsvap -ojson | jq -r -e '.status.byPod[0]'"
 
     kubectl get constrainttemplates.templates.gatekeeper.sh k8srequiredlabelsvap -oyaml
@@ -681,3 +680,16 @@ __expansion_audit_test() {
   run kubectl delete -f test/export/nginx_deployment.yaml --ignore-not-found
   run kubectl delete ns nginx --ignore-not-found
 }
+
+@test "rego v1 tests" {
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_regov1.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get constrainttemplates.templates.gatekeeper.sh k8srequiredlabels -ojson | jq -r -e '.status.byPod[0]'"
+
+  kubectl get constrainttemplates.templates.gatekeeper.sh k8srequiredlabelsv1 -oyaml
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided.yaml"
+
+  run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml
+  assert_match 'denied' "${output}"
+  assert_failure
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_regov1.yaml"
+}
diff --git a/test/bats/tests/constraints/all_ns_must_have_label_provided.yaml b/test/bats/tests/constraints/all_ns_must_have_label_provided.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabelsV1
+metadata:
+  name: all-must-have-label
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    message: "All namespaces must have an `owner` label that points to your company username"
+    labels:
+      - key: owner
+        allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
diff --git a/test/bats/tests/templates/k8srequiredlabels_template_regov1.yaml b/test/bats/tests/templates/k8srequiredlabels_template_regov1.yaml
@@ -0,0 +1,43 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabelsv1
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabelsV1
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            rego: |
+              package k8srequiredlabelsv1
+
+              violation contains 
+                {"msg": msg, "details": {"missing_labels": missing}} 
+                if {
+                  provided := {label | input.review.object.metadata.labels[label]}
+                  required := {label | label := input.parameters.labels[_]}
+                  missing := required - provided
+                  count(missing) > 0
+                  msg := sprintf("you must provide labels: %v", [missing])
+                }
diff --git a/test/gator/test/fixtures/manifests/with-policies/with-violations-rego-v1.yaml b/test/gator/test/fixtures/manifests/with-policies/with-violations-rego-v1.yaml
@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: allowed-namespace
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: all-must-have-owner
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    message: "All namespaces must have an `owner` label that points to your company username"
+    labels:
+      - key: owner
+        allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
+---
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+  annotations:
+    description: >-
+      Requires resources to contain specified labels, with values matching
+      provided regular expressions.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              description: >-
+                A list of labels and values the object must specify.
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                    description: >-
+                      The required label.
+                  allowedRegex:
+                    type: string
+                    description: >-
+                      If specified, a regular expression the annotation's value
+                      must match. The value must contain at least one match for
+                      the regular expression.
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            rego: |
+              package k8srequiredlabels
+
+              violation contains 
+                {"msg": msg, "details": {"missing_labels": missing}} 
+                if {
+                  provided := {label | input.review.object.metadata.labels[label]}
+                  required := {label | label := input.parameters.labels[_]}
+                  missing := required - provided
+                  count(missing) > 0
+                  msg := sprintf("you must provide labels: %v", [missing])
+                }
diff --git a/test/gator/test/test.bats b/test/gator/test/test.bats
@@ -85,6 +85,10 @@ match_yaml_msg () {
   ! bin/gator test --filename="$BATS_TEST_DIRNAME/fixtures/manifests/with-policies/with-violations.yaml"
 }
 
+@test "manifest with rego v1 template and violations included as flag returns 1 exit status" {
+  ! bin/gator test --filename="$BATS_TEST_DIRNAME/fixtures/manifests/with-policies/with-violations-rego-v1.yaml"
+}
+
 @test "multiple files passed in flags is supported" {
  run bin/gator test --filename="$BATS_TEST_DIRNAME/fixtures/manifests/no-policies/with-violations.yaml" --filename="$BATS_TEST_DIRNAME/fixtures/policies/default" -oyaml
   [ "$status" -eq 1 ]
diff --git a/website/docs/constrainttemplates.md b/website/docs/constrainttemplates.md
@@ -158,3 +158,72 @@ k8srequiredlabels.constraints.gatekeeper.sh/ns-must-have-gk created
 $ kubectl create ns foobar
 Error from server ([ns-must-have-gk] you must provide labels: {"gatekeeper"}): admission webhook "validation.gatekeeper.sh" denied the request: [ns-must-have-gk] you must provide labels: {"gatekeeper"}
 ```
+
+## Enable OPA Rego v1 syntax in ConstraintTemplates
+
+Gatekeeper 3.19 ships with ability to use OPA Rego v1 as policy language in ConstraintTemplates. Using Rego v1 syntax is opt-in, by default only Rego v0 is allowed. You can use below spec to enable Rego v1 syntax:
+
+```yaml
+...
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            rego: |
+              <v1-rego-code>
+...
+```
+
+:::note
+Rego v1 syntax can only be used under `targets[_].code[_].[engine: Rego].source` with `version: "v1"`. No need to add `import rego.v1` to use rego v1 syntax.
+:::
+
+Here is a sample ConstraintTemplate using Rego v1 syntax:
+
+```yaml
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            rego: |
+              package k8srequiredlabels
+
+              violation contains 
+                {"msg": msg, "details": {"missing_labels": missing}} 
+                if {
+                  provided := {label | input.review.object.metadata.labels[label]}
+                  required := {label | label := input.parameters.labels[_]}
+                  missing := required - provided
+                  count(missing) > 0
+                  msg := sprintf("you must provide labels: %v", [missing])
+                }
+```
diff --git a/website/versioned_docs/version-v3.19.x/constrainttemplates.md b/website/versioned_docs/version-v3.19.x/constrainttemplates.md
@@ -158,3 +158,72 @@ k8srequiredlabels.constraints.gatekeeper.sh/ns-must-have-gk created
 $ kubectl create ns foobar
 Error from server ([ns-must-have-gk] you must provide labels: {"gatekeeper"}): admission webhook "validation.gatekeeper.sh" denied the request: [ns-must-have-gk] you must provide labels: {"gatekeeper"}
 ```
+
+## Enable OPA Rego v1 syntax in ConstraintTemplates
+
+Gatekeeper 3.19 ships with ability to use OPA Rego v1 as policy language in ConstraintTemplates. Using Rego v1 syntax is opt-in, by default only Rego v0 is allowed. You can use below spec to enable Rego v1 syntax:
+
+```yaml
+...
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            rego: |
+              <v1-rego-code>
+...
+```
+
+:::note
+Rego v1 syntax can only be used under `targets[_].code[_].[engine: Rego].source` with `version: "v1"`. No need to add `import rego.v1` to use rego v1 syntax.
+:::
+
+Here is a sample ConstraintTemplate using Rego v1 syntax:
+
+```yaml
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            rego: |
+              package k8srequiredlabels
+
+              violation contains 
+                {"msg": msg, "details": {"missing_labels": missing}} 
+                if {
+                  provided := {label | input.review.object.metadata.labels[label]}
+                  required := {label | label := input.parameters.labels[_]}
+                  missing := required - provided
+                  count(missing) > 0
+                  msg := sprintf("you must provide labels: %v", [missing])
+                }
+```
