Operator error: policy working on OPA playground but not with fregot

Question

Operator error: policy working on OPA playground but not with fregot

rayanebel opened this issue 3 years ago · comments

Hi,

I'm trying to write a simple policy in rego and I would like to use fregot to make some test and to help me to troubleshoot my policies.

I've wrote a simple policy which work in OPA Playground but not with fregot. When I tried to load it from repl I've this error:


fregot (compile error):
  "    satisfied := [good | labelProvided := labels[_]; (labelProvided == labelRequired)]" (line 1, column 55):
  invalid unification:

    1|     satisfied := [good | labelProvided := labels[_]; (labelProvided == labelRequired)]
                                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You can find the policy just below:

package k8srequiredlabels

deny {
    labels := {label | input.review.object.metadata.labels[label]}
    requiredLabels := ["entity", "site"]
    labelRequired := requiredLabels[_]
    satisfied := [good | labelProvided := labels[_]; good := (labelProvided == labelRequired)]
    not any(satisfied)
    msg := sprintf("Object of kind %v does not have the required labels set. got: %v and want: %v", [input.review.kind.kind, labels, requiredLabels])
}

Version: fregot v0.13.3

Thanks.

Jasper Van der Jeugt · Answer 1 · Wed Mar 03 2021 23:27:57 GMT+0800 (China Standard Time)

Thanks a lot for reporting this, it's very useful to catch these cases. This should be fixed in v0.13.4!