Rego 规则中的参数 [Open Policy Agent]
Parameters in Rego rules [Open Policy Agent]
如何在Rego规则中使用参数?我会有这样的东西:
deny[reason] {
input.request.kind.kind == "Route"
not valid_route_request[label]
reason := sprintf("missing or wrong router selector label: %v", [label])
}
valid_route_request[label] {
requester := input.request.userInfo.username
some i # iterate on all users
requester == data.kubernetes.users[i].metadata.name
label := input.request.object.metadata.labels["router-selector"]
label == data.kubernetes.users[i].metadata.annotations[router_selector_key]
}
其中 label 用于构建错误消息。我从 OPA 收到错误消息:var label is unsafe ...
总的来说,在Rego中如何传递参数我还是不太清楚
你的例子几乎是正确的——你面临的问题是label是"unsafe"。
TLDR;在 deny 规则内分配 label:
deny[reason] {
input.request.kind.kind == "Route"
label := input.request.object.metadata.labels["router-selector"]
not valid_route_request[label]
reason := sprintf("wrong 'router-selector' label: %v", [label])
}
deny[reason] {
input.request.kind.kind == "Route"
not input.request.object.metadata.labels["router-selector"]
reason := "missing 'router-selector' label"
}
请注意,我创建了两个拒绝规则。一种用于路径 input.request.object.metadata.labels["route-selector'] 未定义的情况,另一种用于无效值。
为什么 OPA 在原始示例中会产生安全错误? Safety 是 Rego 的 属性 ,它确保所有变量都可以被分配有限数量的值。要被视为 "safe",变量必须作为至少一个非否定表达式的输出出现。
以下是一些安全的示例:
# 'a' is assigned to the value referenced by input.foo
a := input.foo
# 'x' is assigned to the keys of the collection referenced by input.foo
input.foo[x]
# 'label' is is assigned to the keys of the collection referenced by valid_route_request
valid_route_request[label]
# 'x' is safe because it is assigned outside the negated expression
x := 7; not illegal_numbers[x]
以下是不安全表达式的示例:
# 'x' is unsafe because it does not appear as an output of a non-negated expression
not p[x]; not q[x]
# 'y' is unsafe because it only appears as a built-in function input
count(y)
出现在规则头部的变量也会出现安全错误:
# 'msg' is unsafe because it is not assigned inside the body of the rule.
deny[msg] {
input.request.kind.kind == "BadKind"
}
安全性很重要,因为它确保 OPA 可以枚举所有可以分配给变量的值。如果变量不安全,则意味着可能有无限多的变量赋值。在您的示例中,语句 valid_route_request 生成一组值(标签?)。 deny 规则中的 not valid_route_request[label] 语句是不安全的,因为 label 没有在 deny 规则的其他地方分配(并且 label 可能没有出现在全局范围内.) 如果在拒绝规则中包含 'some',这实际上会变得更清楚:
deny[reason] {
some label
input.request.kind.kind == "Route"
not valid_route_request[label]
reason := ...
}
这条规则说(英文):
reason is in deny if for some label, input.request.kind.kind equals Route and label is not in valid_route_request, and ...
从技术上讲,满足此规则的 label 会有无限多的赋值(例如,字符串“12345”不会包含在 valid_route_request 中,“123456”也不会包含,等等会...)
如何在Rego规则中使用参数?我会有这样的东西:
deny[reason] {
input.request.kind.kind == "Route"
not valid_route_request[label]
reason := sprintf("missing or wrong router selector label: %v", [label])
}
valid_route_request[label] {
requester := input.request.userInfo.username
some i # iterate on all users
requester == data.kubernetes.users[i].metadata.name
label := input.request.object.metadata.labels["router-selector"]
label == data.kubernetes.users[i].metadata.annotations[router_selector_key]
}
其中 label 用于构建错误消息。我从 OPA 收到错误消息:var label is unsafe ...
总的来说,在Rego中如何传递参数我还是不太清楚
你的例子几乎是正确的——你面临的问题是label是"unsafe"。
TLDR;在 deny 规则内分配 label:
deny[reason] {
input.request.kind.kind == "Route"
label := input.request.object.metadata.labels["router-selector"]
not valid_route_request[label]
reason := sprintf("wrong 'router-selector' label: %v", [label])
}
deny[reason] {
input.request.kind.kind == "Route"
not input.request.object.metadata.labels["router-selector"]
reason := "missing 'router-selector' label"
}
请注意,我创建了两个拒绝规则。一种用于路径 input.request.object.metadata.labels["route-selector'] 未定义的情况,另一种用于无效值。
为什么 OPA 在原始示例中会产生安全错误? Safety 是 Rego 的 属性 ,它确保所有变量都可以被分配有限数量的值。要被视为 "safe",变量必须作为至少一个非否定表达式的输出出现。
以下是一些安全的示例:
# 'a' is assigned to the value referenced by input.foo
a := input.foo
# 'x' is assigned to the keys of the collection referenced by input.foo
input.foo[x]
# 'label' is is assigned to the keys of the collection referenced by valid_route_request
valid_route_request[label]
# 'x' is safe because it is assigned outside the negated expression
x := 7; not illegal_numbers[x]
以下是不安全表达式的示例:
# 'x' is unsafe because it does not appear as an output of a non-negated expression
not p[x]; not q[x]
# 'y' is unsafe because it only appears as a built-in function input
count(y)
出现在规则头部的变量也会出现安全错误:
# 'msg' is unsafe because it is not assigned inside the body of the rule.
deny[msg] {
input.request.kind.kind == "BadKind"
}
安全性很重要,因为它确保 OPA 可以枚举所有可以分配给变量的值。如果变量不安全,则意味着可能有无限多的变量赋值。在您的示例中,语句 valid_route_request 生成一组值(标签?)。 deny 规则中的 not valid_route_request[label] 语句是不安全的,因为 label 没有在 deny 规则的其他地方分配(并且 label 可能没有出现在全局范围内.) 如果在拒绝规则中包含 'some',这实际上会变得更清楚:
deny[reason] {
some label
input.request.kind.kind == "Route"
not valid_route_request[label]
reason := ...
}
这条规则说(英文):
reason is in deny if for some label, input.request.kind.kind equals Route and label is not in valid_route_request, and ...
从技术上讲,满足此规则的 label 会有无限多的赋值(例如,字符串“12345”不会包含在 valid_route_request 中,“123456”也不会包含,等等会...)