kube-cel 0.5.3

Kubernetes CEL extension functions for the cel crate
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

//! Demonstrates static analysis of CEL validation rules.
//!
//! Run with: `cargo run --example static_analysis --features validation`

use kube_cel::{
    analysis::{self, ScopeContext},
    compilation::compile_schema,
};
use serde_json::json;

fn main() {
    let schema = json!({
        "type": "object",
        "properties": {
            "name": {"type": "string", "maxLength": 253},
            "tags": {
                "type": "array",
                "items": {"type": "string"}
                // Note: no maxItems — cost estimator will warn
            },
            "replicas": {"type": "integer"}
        }
    });
    let compiled = compile_schema(&schema);

    let rules = [
        // Good rule: simple comparison, low cost
        "self.replicas >= 0",
        // Good rule: bounded string operation
        "self.name.size() > 0",
        // Potentially expensive: unbounded list comprehension
        "self.tags.all(tag, tag.size() > 0)",
        // Wrong scope: uses admission policy variable in CRD context
        "request.userInfo.username != 'admin'",
    ];

    println!("=== CEL Rule Analysis ===\n");

    for rule in &rules {
        println!("Rule: {rule}");

        // Combined analysis: scope + cost in one compilation
        let warnings = analysis::analyze_rule(rule, &compiled, ScopeContext::CrdValidation);

        if warnings.is_empty() {
            println!("  OK — no issues found\n");
        } else {
            for w in &warnings {
                println!("  [{:?}] {}", w.kind, w.message);
            }
            println!();
        }
    }
}