Basic JSONPath Rules

The JSONPath option for adding custom rules is a guided configuration of a Manageable Access-Control Policy Language (MAPL) rule that has limited capabilities. MAPL is a language for rules that controls access in a microservices environment. Use this kind of rule to define the desired state of your Kubernetes resources.

JSONPath custom rules can contain multiple conditions that are linked with logical operands. Conditions include a Kubernetes resource — Resource Kind — that is connected to an expected valued.

You can configure a basic JSONPath custom rule using the guided configuration in the console.


Characteristic	Description
Resource kind	Type of Kubernetes resource to which the rule refers.
JSONPath	The JSONPath selector is used to get to a certain setting and specify its value in the configuration file of a Kubernetes resource. Note: You must start the JSONPath selector string with the `$` sign. A custom rule can have multiple JSONPath criteria that use AND logic to match individual resources. JSONPath is a way to represent an element or a selection of elements in a JSON or YAML file. A jsonpath expression is built as a tree: `{.element} {.child}` `{.grand-child}` A jsonpath expression starts with a dot (.) to start matching from the root of the configuration, followed by the name of a child, then grandchild, and so on. Use `[:]` to match any element inside an array, such as any label name inside `$.metadata.labels`. For example: `$.metadata.labels[:].name`.
Method	The method to evaluate the resource value: EQ - equal NE- not equal RE - match a regular expression NRE - does not match a regular expression LT - lower than LE - lower or equal than GT - greater than GE - greater or equal than EX - exists NEX - does not exist IN - in list of values [val1,val2,val3,...] NIN - not in list of values [val1,val2,val3,...]
Value	The threshold value to match the resource value. If the value is not matched, the rule is violated.

Example JSON

{
  "apiVersion": "v1",
  "kind": "Namespace",
  "metadata": {
    "creationTimestamp": "2021-04-09T00:52:44Z",
    "managedFields": [
      {
        "apiVersion": "v1",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:status": {
            "f:phase": {}
          }
        },  ...

Example Custom Rule 1

Do not allow workloads that have more than 5 replicas:

$.spec.replicas GT 5

Example Custom Rule 2

Requires presence of CPU quotas for all containers:

$.spec.template.spec.containers[:].resources.limits.cpu NEX

Example Custom Rules 3 and 4

Requires each workload to have a label named serviceOwner and a value that looks like an email address (2 rules):

$.spec.template.metadata.label.serviceOwner NEX
$.spec.template.metadata.label.serviceOwner NRE .+@example\.com