When testing for two labels being required within a deployment, if either match passes the whole block is accepted.
deny[msg] {
input.kind = "Deployment"
not input.spec.selector.matchLabels.app
not input.spec.selector.matchLabels.release
msg = sprintf("Deployment[%s] - Containers must provide app/release labls for pod selectors", [name])
}
- All rules should match before accepting
deployment.yaml
Deployment[app_only] - Containers must provide app/release labls for pod selectors
Deployment[release_only] - Containers must provide app/release labls for pod selectors
Deployment[no_labels] - Containers must provide app/release labls for pod selectors
$ conftest test deployment.yaml
deployment.yaml
Deployment[no_labels] - Containers must provide app/release labls for pod selectors
conftest --version
Version: 0.6.0
Commit: a27d0739a785fc52c421339d129267772a15662f
Date: 2019-05-20T07:40:07Z
Save the two files given below, and execute using conftest
$ conftest test deployment.yaml
deployment.yaml
Deployment[no_labels] - Containers must provide app/release labls for pod selectors