I can't scan a policy

[sofiafernandezmoreno]

I'm facing problems with a policy:

{"level":"error","ts":1649766883.963127,"logger":"controller.configmap","msg":"Reconciler error","reconciler group":"","reconciler kind":"ConfigMap","name":"starboard","namespace":"test","error":"evaluating resource: failed parsing policy metadata: policy.configmap_sensitive.rego","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}

I'm trying to check if a configmap has sensitive data, but I'm experiencing problems but I'm not sure if it's related with Rego format, this policy works when I active Conftest scanner

apiVersion: v1
kind: ConfigMap
metadata:
  name: starboard-policies-config
  namespace: d-starboard
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.2"
    app.kubernetes.io/managed-by: kubectl
data:
  policy.recommended_labels.kinds: "*"
  policy.recommended_labels.rego: |
    package starboard.policy.k8s.custom

    __rego_metadata__ := {
        "id": "recommended_labels",
        "title": "Recommended labels",
        "severity": "LOW",
        "type": "Kubernetes Security Check",
        "description": "A common set of labels allows tools to work interoperably, describing objects in a common manner that all tools can understand",
        "recommended_actions": "Take full advantage of using recommended labels and apply them on every resource object.",
        "url": "https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/",
    }

    recommended_labels := [
        "app.kubernetes.io/name",
        "app.kubernetes.io/version",
    ]

    deny[res] {
        provided := {label | input.metadata.labels[label]}
        required := {label | label := recommended_labels[_]}
        missing := required - provided
        count(missing) > 0
        msg := sprintf("You must provide labels: %v", [missing])
        res := {"msg": msg}
    }
  policy.configmap_sensitive.kinds: "ConfigMap"
  policy.configmap_sensitive.rego: |
    package kubernetes.validating.configmap


    sensitive_denylist := [
      "pass",
      "secret",
      "key",
      "token",
      "password",
      "username",
    ]

    check_sensitive(keys, denylist) {
      _ = keys[key]
      contains(key, denylist[_])
    }

    deny[msg] {
      input.kind == "ConfigMap"
      input.data = keys
      check_sensitive(keys, sensitive_denylist)
      msg := {
        "publicId": "K00001",
        "title": "ConfigMap exposes sensitive data",
        "severity": "high",
        "msg": "input.data",
        "issue": "",
        "impact": "",
        "remediation": "",
        "references": [],
      }
    }

[danielpacak]

It seems that you have not defined the __rego_metadata__ Rego rule, which is required. See how we defined it in the recommended labels example in the tutorial on Writing a Policy.