kind: ConfigMap apiVersion: v1 metadata: name: deployment-spec-temp-labels namespace: opa labels: app: opa owner: jimmy openpolicyagent.org/policy: rego data: main: | package kubernetes.admission import data.lib.k8s.helpers as helpers deny[msg] { input.request.kind.kind = "Deployment" helpers.allowed_operations[helpers.request_operation] required_labels := helpers.required_deployment_labels provided_labels := {k | helpers.request_spec_template_metadata_labels[k]} # use set comprehension to construct set from input missing_labels := required_labels - provided_labels # perform set difference count(missing_labels) > 0 msg = sprintf("%q: %q label(s) missing. %q are required labels in the spec.template.metadata.labels element. Resource ID (ns/name/kind): %q", [helpers.deployment_error,concat(", ",missing_labels),concat(", ",required_labels),helpers.request_id]) }