Name		Name	Last commit message	Last commit date
Latest commit History 16 Commits
.github		.github
src		src
test_data		test_data
.gitignore		.gitignore
.taplo.toml		.taplo.toml
CODEOWNERS		CODEOWNERS
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
artifacthub-repo.yml		artifacthub-repo.yml
e2e.bats		e2e.bats
metadata.yml		metadata.yml
questions-ui.yml		questions-ui.yml
renovate.json		renovate.json

Repository files navigation

labels-policy

This policy validates the labels of generic Kubernetes objects.

Note

By default, the policy metadata targets only workload resources (Deployments, Pods, Replicasets, Jobs..).

Deploy the policy with your desired rules to target other resources. Note that the audit scanner feature does not support policies targeting "*".

Settings

The policy settings has the criteria field which define the logic operation performed with the values defined in the settings and the labels defined in the resource:

settings:
  criteria: "containsAnyOf"
  values:
    - cost-center

The criteria configuration can have the following values:

containsAnyOf: enforces that the resource has at least one of the labels in values.
doesNotContainAnyOf: enforces that the resource does not have any label defined in values (denylist).
containsAllOf: enforces that all of the labels in values are defined in the resource.
doesNotContainAllOf: enforces that the labels defined in values are not all set together in the resource.
ContainsOtherThan: enforces that the resource contains at least one label not in values.
DoesNotContainOtherThan: enforces that the resource contains only labels from values (allowlist).

The values field must contain at least one label name for validation. label names should be valid label names per Kubernetes docs.

Important

An empty list of label names is not allowed.

If you require more complex labels validation, consider the use of Kubewarden policy groups. With policy groups, you can combine multiple validations using complex logical operators to function as a single policy.

Rules operators logic tables

These are some tables to help you understand the logic of the operators:

`containsAnyOf`

Given these values settings: [a, b]

Resource labels	Evaluation result
a	Accepted
b	Accepted
a,b	Accepted
a,b,c	Accepted
c	Rejected
a, c	Accepted
b, c	Accepted
empty	Rejected

`doesNotContainAnyOf` (denylist)

Given these values settings: [a, b]

Resource labels	Evaluation result
a	Rejected
b	Rejected
a,b	Rejected
a,b,c	Rejected
c	Accepted
a, c	Rejected
b, c	Rejected
empty	Accepted

`containsAllOf`

Given these values settings: [a, b]

Resource labels	Evaluation result
a	Rejected
b	Rejected
a,b	Accepted
a,b,c	Accepted
c	Rejected
a, c	Rejected
b, c	Rejected
empty	Rejected

`doesNotContainAllOf`

Given these values settings: [a, b]

Resource labels	Evaluation result
a	Accepted
b	Accepted
a,b	Rejected
a,b,c	Rejected
c	Accepted
a, c	Accepted
b, c	Accepted
empty	Accepted

`containsOtherThan`

Given these values settings: [a, b]

Resource labels	Evaluation result
a	rejected
b	rejected
a,b	rejected
a,b,c	accepted
c	accepted
a, c	accepted
b, c	accepted
empty	rejected

`doesNotContainOtherThan` (allowlist)

Given these values settings: [a, b]

Resource labels	Evaluation result
a	accepted
b	accepted
a,b	accepted
a,b,c	rejected
c	rejected
a, c	rejected
b, c	rejected
empty	accepted