Stack Overflow
Stack Overflow

Questions tagged [rego]

Rego is a Query Language. To make a policy decision in Rego, you write logical tests on the data that comes in as input (such as the API or SSH data from the last section)

161 questions
4
votes
2 answers

Using OR condition in OPA rego

I want to use an OR operation to combine the following conditions: the count of my arr is not equal to 0 my email does not contain "test.com" Currently I am using the built-in function any(): any([count(arr) != 0, not contains(email,…
jrchew
  • 205
  • 2
  • 9
4
votes
3 answers

Compare two arrays in the Rego Language

violation[{"msg": msg}] { required:= ["red", "green", "blue"] input := ["orange", "purple"] msg := sprintf("") } I want to compare each value from the input array in the required array. In other languages, two normal loops will do it.…
Xameer
  • 105
  • 2
  • 11
4
votes
1 answer

Rego testing: how to test "not deny"?

I'm exploring testing my Rego policies using opa test starting with this trivial rule: deny["Must be allowed"] { input.allowed == "no" } I'm able to successfully test this against a case where this is denied: test_denied_example { deny with…
eirikir
  • 3,802
  • 3
  • 21
  • 39
3
votes
1 answer

In Rego, why is "every" never false?

According to the Open Policy Agent documentation, in Rego, every evaluates either to true or undefined. Why not true or false? What is it about Rego that suggests false is the wrong value? By comparison, the membership operator in always evaluates…
Old Pro
  • 24,624
  • 7
  • 58
  • 106
3
votes
1 answer

OPA/Rego execute function for each element of an array

I am new at OPA/Rego and I am trying to write a policy to check if an Azure Network Security Group contains all the rules that I define on an array package sample default compliant = false toSet(arr) = {x | x := arr[_]} checkProperty(rule, index,…
delucaezequiel
  • 483
  • 2
  • 9
  • 26
3
votes
2 answers

rego_type_error: undefined function

I am new to OPA and rego files. I have created a rego file like this : package sample.access import data.myaccess default allow = false allow = true { myaccess.is_user_allowed(input.user) } And, I have created test rego file like this…
sharmila
  • 65
  • 6
3
votes
1 answer

Open policy agent satisfy condition for all array items

Trying to wrap my head around this issue for a while - I have a JSON input which contains an array, say something like this: { "array" : [ {"foo": "bar"}, {"foo": "buzz"}, {"misbehaving": "object"} ] } My goal is to…
FitzChivalry
  • 339
  • 2
  • 19
3
votes
1 answer

How to do a || "b" in rego

we validate objects with and without namespaces and I always want to print what the current namespace is ... but fallback to "" or some other default value when no namespace is set. using the naive input.review.object.metadata.namespace directly…
grosser
  • 14,707
  • 7
  • 57
  • 61
2
votes
1 answer

OPA giving error "rego_parse_error: var cannot be used for rule name"

I have a simple rego file like this: package example default isApplicable := false isApplicable if { timeNow := time.now_ns() timeNow >= input.startDatetime } and I keep getting parse error: "rego_parse_error: var cannot be used for rule…
rsc
  • 10,348
  • 5
  • 39
  • 36
2
votes
0 answers

Rego based OPA Policy for restricting Argo CD applications being created in default Argo CD project is not working with Gatekeeper

Rego based OPA Policy for restricting Argo CD applications being created in default Argo CD project is not working with Gatekeeper. I have tried multiple combinations of api versions and kinds in the constraint as well. Constraint template and…
Mukul Garg
  • 21
  • 3
2
votes
1 answer

OPA/rego result is true even if a comparison evaluates to false

I just started to use OPA, so there is a high chance I'm doing something wrong. I have the following input: { "request": { "principalId": "user1", "scope": "/workspaces/1/environments/dev/deployments/123", "requiredPermissions": [ …
tiwood
  • 41
  • 5
2
votes
1 answer

Overlapping roots across multiple bundles

I was trying to understand the significance of roots. As per the docs, The roots are not overlapping (e.g., a/b/c and a/b are overlapped and will result in an error.) Note: This is not enforced across multiple bundles. Only within the same bundle…
Sulbigar Shanawaz
  • 159
  • 3
  • 13
2
votes
3 answers

VSCode Rego Plugin opa evaluate not working as expected

I'm learning OPA and rego. I'm trying to write a simple policy and have the same evaluated through VSCode Plugin. Folder Structure: learning.rego package learning test { a := "test" a == "test" } input.json {} And when I choose "OPA:…
Sulbigar Shanawaz
  • 159
  • 3
  • 13
2
votes
1 answer

Why is the exact difference between "violation" and "deny" in OPA/Rego?

In Open Policy Agent (https://www.openpolicyagent.org/) regarding to Kubernetes, depending which engine is used: Gatekeeper: https://github.com/open-policy-agent/gatekeeper OR Plain OPA with kube-mgmt:…
csviri
  • 1,159
  • 3
  • 16
  • 31
2
votes
1 answer

OPA policy to allow docker exec

I've deployed the OPA docker plugin as per instruction. And everything was fine until I've tried to create custom docker API permissions for docker exec. I've added following section to authz.rego file: allow { user_id :=…
Victor EStalin
  • 171
  • 1
  • 11
1
2 3
10 11