The JSONPath option for adding custom rules is a guided configuration of a Manageable Access-Control Policy Language (MAPL) rule that has limited capabilities. MAPL is a language for rules that controls access in a microservices environment. Use this kind of rule to define the desired state of your Kubernetes resources.

JSONPath custom rules can contain multiple conditions that are linked with logical operands. Conditions include a Kubernetes resource — Resource Kind — that is connected to an expected valued.

You can configure a basic JSONPath custom rule using the guided configuration in the console.

Characteristic Description
Resource kind Type of Kubernetes resource to which the rule refers.
JSONPath

The JSONPath selector is used to get to a certain setting and specify its value in the configuration file of a Kubernetes resource.

Note: You must start the JSONPath selector string with the $ sign.

A custom rule can have multiple JSONPath criteria that use AND logic to match individual resources.

JSONPath is a way to represent an element or a selection of elements in a JSON or YAML file. A jsonpath expression is built as a tree:

{.element} {.child} {.grand-child}

A jsonpath expression starts with a dot (.) to start matching from the root of the configuration, followed by the name of a child, then grandchild, and so on.

Use [:] to match any element inside an array, such as any label name inside $.metadata.labels. For example: $*.metadata.labels[:].name*.
Method The method to evaluate the resource value:
  • EQ - equal
  • NE- not equal
  • RE - match a regular expression
  • NRE - does not match a regular expression
  • LT - lower than
  • LE - lower or equal than
  • GT - greater than
  • GE - greater or equal than
  • EX - exists
  • NEX - does not exist
  • IN - in list of values [val1,val2,val3,...]
  • NIN - not in list of values [val1,val2,val3,...]
Value The threshold value to match the resource value. If the value is not matched, the rule is violated.

Example JSON

{
  "apiVersion": "v1",
  "kind": "Namespace",
  "metadata": {
    "creationTimestamp": "2021-04-09T00:52:44Z",
    "managedFields": [
      {
        "apiVersion": "v1",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:status": {
            "f:phase": {}
          }
        },  ...

Example Custom Rule 1

Do not allow workloads that have more than 5 replicas:

$.spec.replicas GT 5

Example Custom Rule 2

Requires presence of CPU quotas for all containers:

$.spec.template.spec.containers[:].resources.limits.cpu NEX

Example Custom Rules 3 and 4

Requires each workload to have a label named serviceOwner and a value that looks like an email address (2 rules):
  • $.spec.template.metadata.label.serviceOwner NEX
  • $.spec.template.metadata.label.serviceOwner NRE .+@example\.com