Enforce a label policy on pods

[alpe]

Organisations usually come up with some best practices for monitoring and managing pods. A new policy could enforce a configurable list of labels to be mandatory to run a pod in the environment.
For example all pods should have an app label.

The policies.Config would need to be extended with a new field.

type Config struct {
...
PolicyMandatoryPodLabels  []string
}

🤔 Extensions

• While this issue is for pods only it makes sense to think about enforcing labels for other components as well.
• Another extension could be enforcing annotations on a type. For example kubernetes.io/ingress.class must not be empty for an ingress on a multi ingress-controller environment.

[dustin-decker]

Good idea.

To facilitate checking labels or annotations for other kinds of resources, we could accept that in the configuration for a more generic policy:

type LabelConfig struct{
    Kinds []string
    Labels []string
    Annotations []string
}

type Config struct {
...
PolicyMandatoryLabelsOrAnnotations  struct {
    []LabelConfig
}

To do this we'd need to add another resource extractor that pulls out v1.TypeMeta and v1.ObjectMeta

[mark-adams]

👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.

Thanks for your contribution(s) to the project!