deny.rego

package main

import data.kubernetes

name = input.metadata.name

#deny[msg] {
#  input.kind == "Deployment"
#  not input.spec.template.spec.securityContext.runAsNonRoot
#
#  msg := "Containers must not run as root"
#}

deny[msg] {
  input.kind == "Deployment"
   not input.spec.selector.matchLabels.app.kubernetes.io/name
 #  not input.spec.selector.matchLabels.app

  msg := "Containers must provide name/version label for pod selectors"
}

#deny[msg] {
#	kubernetes.is_deployment
#	not input.spec.template.spec.securityContext.runAsNonRoot
#
#	msg = sprintf("Containers must not run as root in Deployment %s", [name])
#}

required_deployment_selectors {
	input.spec.selector.matchLabels.app
	input.spec.selector.matchLabels.release
}

#deny[msg] {
#	kubernetes.is_deployment
#	not required_deployment_selectors
#
#	msg = sprintf("Deployment %s must provide app/release labels for pod selectors", [name])
#}