kube-cel 0.5.3

Kubernetes CEL extension functions for the cel crate
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

//! Demonstrates client-side evaluation of ValidatingAdmissionPolicy CEL expressions.
//!
//! Run with: `cargo run --example vap_evaluation --features validation`

use kube_cel::vap::{AdmissionRequest, GroupVersionKind, VapEvaluator, VapExpression};
use serde_json::json;

fn main() {
    // Simulate an incoming Deployment object
    let object = json!({
        "apiVersion": "apps/v1",
        "kind": "Deployment",
        "metadata": {
            "name": "my-app",
            "namespace": "production",
            "labels": {"app": "my-app"}
        },
        "spec": {
            "replicas": 3,
            "template": {
                "spec": {
                    "containers": [{
                        "name": "app",
                        "image": "my-app:latest"
                    }]
                }
            }
        }
    });

    // Build evaluator with admission context
    let evaluator = VapEvaluator::builder()
        .object(object)
        .request(AdmissionRequest {
            operation: "CREATE".into(),
            username: "developer@example.com".into(),
            namespace: "production".into(),
            name: "my-app".into(),
            kind: GroupVersionKind {
                group: "apps".into(),
                version: "v1".into(),
                kind: "Deployment".into(),
            },
            ..Default::default()
        })
        .params(json!({"maxReplicas": 5, "requiredLabel": "app"}))
        .build();

    // Define policy expressions (from a ValidatingAdmissionPolicy)
    let expressions = vec![
        VapExpression {
            expression: "object.spec.replicas <= params.maxReplicas".into(),
            message: Some("replicas exceeds maximum allowed".into()),
            message_expression: Some(
                "'replicas ' + string(object.spec.replicas) + ' exceeds max ' + string(params.maxReplicas)"
                    .into(),
            ),
        },
        VapExpression {
            expression: "has(object.metadata.labels) && params.requiredLabel in object.metadata.labels"
                .into(),
            message: Some("required label missing".into()),
            message_expression: None,
        },
        VapExpression {
            expression: "!object.spec.template.spec.containers.exists(c, c.image.endsWith(':latest'))".into(),
            message: Some("latest tag is not allowed in production".into()),
            message_expression: None,
        },
    ];

    let results = evaluator.evaluate(&expressions);

    println!("=== VAP Evaluation Results ===\n");
    for result in &results {
        let status = if result.passed { "PASS" } else { "FAIL" };
        println!("[{status}] {}", result.expression);
        if let Some(msg) = &result.message {
            println!("       {msg}");
        }
    }

    let failures: Vec<_> = results.iter().filter(|r| !r.passed).collect();
    println!(
        "\n{} passed, {} failed",
        results.len() - failures.len(),
        failures.len()
    );
}