Need help: fetch multiple key values from data inventory

[laxmanvallandas]

Hello, Newbie in rego here.

Below logic is mostly inspired from https://github.com/open-policy-agent/gatekeeper/blob/b7230e0bdc3479b867acd2fd0d7192b1182c59d4/demo/basic/templates/k8suniquelabel_template.yaml#L47
Is there a way in rego to directly map multiple values to a key?
Below is our violation logic.
In addition to input params, we also want to print the namespace in which annotation already exists in a service. Is that possible to achieve?

        violation[{"msg": msg}] {
          hostname := hostnames[_]
          h = trim(hostname, " ")
          ns_objs := [o | o = data.inventory.namespace[_][_][_][_]]
          all_values := {h | obj = ns_objs[_]; h = obj.metadata.annotations[input.parameters.annotation]}
          count({h} - all_values) == 0
          msg := sprintf("annotation <%v> with value <%v> already exists for another %v", [input.parameters.annotation, h, input.review.object.kind])
        }

[anderseknert]

Hey there! And sorry for the late reply — somehow I hadn't seen this until now. You could extract the name of the namespace(s) as well when iterating over the data.inventory.namespace map, and perhaps use an object comprehension to store the result instead of an array. Also, the hostname seems to be irrelevant here, so that could likely be removed? Untested code, but something like this might be closer to what you want:

ns_objs := {ns: o |
	some ns
	o := data.inventory.namespace[ns][_][_][_]
}

violation[{"msg": msg}] {
	some ns
	obj := ns_objs[ns]
	existing := obj.metadata.annotations[input.parameters.annotation]

	msg := sprintf("annotation <%v> with value <%v> already exists for another %v in namespace %v", [
		input.parameters.annotation,
		existing,
		input.review.object.kind,
		ns,
	])
}

This line is suspicious though:

existing := obj.metadata.annotations[input.parameters.annotation]

You probably want to use a value from the object submitted for review rather than a parameter here..

[laxmanvallandas]

No worries and thanks for the response.
Have tried above approach and rego throws following error:

  - errors:
    - code: ingest_error
      message: |-
        Could not ingest Rego: unable to compile modules: 2 errors occurred:
        template:16: rego_unsafe_var_error: var msg is unsafe
        template:16: rego_unsafe_var_error: var ns is unsafe

Here is the updated snippet:

        hostnames = <defined>
        svc_objs := {ns: o |
        	some ns
        	o := data.inventory.namespace[ns][_]["Service"][_]
        }

        violation[{"msg": msg}] {
          hostname := hostnames[_]
          h = trim(hostname, " ")
          some ns
          all_values := {h | obj = svc_objs[_]; h = obj.metadata.annotations[input.parameters.annotation]}
          count({h} - all_values) == 0
          msg := sprintf("annotation <%v> with value <%v> already exists for another %v in ns %v", [input.parameters.annotation, h, input.review.object.kind, ns])
        }

[anderseknert]

That's not the above approach, but something in between :) You're using ns in the msg string but that's not defined inside of your rule.