plexsystems
diff --git a/‎examples/container-deny-added-caps/template.yaml
Lines changed: 25 additions & 18 deletions b/‎examples/container-deny-added-caps/template.yaml
Lines changed: 25 additions & 18 deletions
diff --git a/‎examples/container-deny-escalation/template.yaml
Lines changed: 18 additions & 13 deletions b/‎examples/container-deny-escalation/template.yaml
Lines changed: 18 additions & 13 deletions
diff --git a/‎examples/container-deny-latest-tag/template.yaml
Lines changed: 18 additions & 13 deletions b/‎examples/container-deny-latest-tag/template.yaml
Lines changed: 18 additions & 13 deletions
@@ -13,18 +13,20 @@ spec:
     - |-
       package lib.core
 
+      import future.keywords.if
+
       default is_gatekeeper := false
 
-      is_gatekeeper {
+      is_gatekeeper if {
         has_field(input, "review")
         has_field(input.review, "object")
       }
 
-      resource := input.review.object {
+      resource := input.review.object if {
         is_gatekeeper
       }
 
-      resource := input {
+      resource := input if {
         not is_gatekeeper
       }
 
@@ -47,74 +49,79 @@ spec:
 
       gv := split(apiVersion, "/")
 
-      group := gv[0] {
+      group := gv[0] if {
         contains(apiVersion, "/")
       }
 
-      group := "core" {
+      group := "core" if {
         not contains(apiVersion, "/")
       }
 
       version := gv[count(gv) - 1]
 
-      has_field(obj, field) {
+      has_field(obj, field) if {
         not object.get(obj, field, "N_DEFINED") == "N_DEFINED"
       }
 
-      missing_field(obj, field) {
+      missing_field(obj, field) if {
         obj[field] == ""
       }
 
-      missing_field(obj, field) {
+      missing_field(obj, field) if {
         not has_field(obj, field)
       }
     - |-
       package lib.pods
 
+      import future.keywords.contains
+      import future.keywords.if
+
       import data.lib.core
 
       default pod := false
 
-      pod := core.resource.spec.template {
+      pod := core.resource.spec.template if {
         pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"]
         lower(core.kind) == pod_templates[_]
       }
 
-      pod := core.resource {
+      pod := core.resource if {
         lower(core.kind) == "pod"
       }
 
-      pod := core.resource.spec.jobTemplate.spec.template {
+      pod := core.resource.spec.jobTemplate.spec.template if {
         lower(core.kind) == "cronjob"
       }
 
-      containers[container] {
+      containers contains container if {
         keys := {"containers", "initContainers"}
         all_containers := [c | some k; keys[k]; c = pod.spec[k][_]]
         container := all_containers[_]
       }
 
-      volumes[pod.spec.volumes[_]]
+      volumes contains pod.spec.volumes[_]
     - |-
       package lib.security
 
-      dropped_capability(container, cap) {
+      import future.keywords.if
+
+      dropped_capability(container, cap) if {
         lower(container.securityContext.capabilities.drop[_]) == lower(cap)
       }
 
-      dropped_capability(psp, cap) {
+      dropped_capability(psp, cap) if {
         lower(psp.spec.requiredDropCapabilities[_]) == lower(cap)
       }
 
-      added_capability(container, cap) {
+      added_capability(container, cap) if {
         lower(container.securityContext.capabilities.add[_]) == lower(cap)
       }
 
-      added_capability(psp, cap) {
+      added_capability(psp, cap) if {
         lower(psp.spec.allowedCapabilities[_]) == lower(cap)
       }
 
-      added_capability(psp, cap) {
+      added_capability(psp, cap) if {
         lower(psp.spec.defaultAddCapabilities[_]) == lower(cap)
       }
     rego: |-
 
@@ -13,18 +13,20 @@ spec:
     - |-
       package lib.core
 
+      import future.keywords.if
+
       default is_gatekeeper := false
 
-      is_gatekeeper {
+      is_gatekeeper if {
         has_field(input, "review")
         has_field(input.review, "object")
       }
 
-      resource := input.review.object {
+      resource := input.review.object if {
         is_gatekeeper
       }
 
-      resource := input {
+      resource := input if {
         not is_gatekeeper
       }
 
@@ -47,54 +49,57 @@ spec:
 
       gv := split(apiVersion, "/")
 
-      group := gv[0] {
+      group := gv[0] if {
         contains(apiVersion, "/")
       }
 
-      group := "core" {
+      group := "core" if {
         not contains(apiVersion, "/")
       }
 
       version := gv[count(gv) - 1]
 
-      has_field(obj, field) {
+      has_field(obj, field) if {
         not object.get(obj, field, "N_DEFINED") == "N_DEFINED"
       }
 
-      missing_field(obj, field) {
+      missing_field(obj, field) if {
         obj[field] == ""
       }
 
-      missing_field(obj, field) {
+      missing_field(obj, field) if {
         not has_field(obj, field)
       }
     - |-
       package lib.pods
 
+      import future.keywords.contains
+      import future.keywords.if
+
       import data.lib.core
 
       default pod := false
 
-      pod := core.resource.spec.template {
+      pod := core.resource.spec.template if {
         pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"]
         lower(core.kind) == pod_templates[_]
       }
 
-      pod := core.resource {
+      pod := core.resource if {
         lower(core.kind) == "pod"
       }
 
-      pod := core.resource.spec.jobTemplate.spec.template {
+      pod := core.resource.spec.jobTemplate.spec.template if {
         lower(core.kind) == "cronjob"
       }
 
-      containers[container] {
+      containers contains container if {
         keys := {"containers", "initContainers"}
         all_containers := [c | some k; keys[k]; c = pod.spec[k][_]]
         container := all_containers[_]
       }
 
-      volumes[pod.spec.volumes[_]]
+      volumes contains pod.spec.volumes[_]
     rego: |-
       package container_deny_escalation
 
 
@@ -13,18 +13,20 @@ spec:
     - |-
       package lib.core
 
+      import future.keywords.if
+
       default is_gatekeeper := false
 
-      is_gatekeeper {
+      is_gatekeeper if {
         has_field(input, "review")
         has_field(input.review, "object")
       }
 
-      resource := input.review.object {
+      resource := input.review.object if {
         is_gatekeeper
       }
 
-      resource := input {
+      resource := input if {
         not is_gatekeeper
       }
 
@@ -47,54 +49,57 @@ spec:
 
       gv := split(apiVersion, "/")
 
-      group := gv[0] {
+      group := gv[0] if {
         contains(apiVersion, "/")
       }
 
-      group := "core" {
+      group := "core" if {
         not contains(apiVersion, "/")
       }
 
       version := gv[count(gv) - 1]
 
-      has_field(obj, field) {
+      has_field(obj, field) if {
         not object.get(obj, field, "N_DEFINED") == "N_DEFINED"
       }
 
-      missing_field(obj, field) {
+      missing_field(obj, field) if {
         obj[field] == ""
       }
 
-      missing_field(obj, field) {
+      missing_field(obj, field) if {
         not has_field(obj, field)
       }
     - |-
       package lib.pods
 
+      import future.keywords.contains
+      import future.keywords.if
+
       import data.lib.core
 
       default pod := false
 
-      pod := core.resource.spec.template {
+      pod := core.resource.spec.template if {
         pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"]
         lower(core.kind) == pod_templates[_]
       }
 
-      pod := core.resource {
+      pod := core.resource if {
         lower(core.kind) == "pod"
       }
 
-      pod := core.resource.spec.jobTemplate.spec.template {
+      pod := core.resource.spec.jobTemplate.spec.template if {
         lower(core.kind) == "cronjob"
       }
 
-      containers[container] {
+      containers contains container if {
         keys := {"containers", "initContainers"}
         all_containers := [c | some k; keys[k]; c = pod.spec[k][_]]
         container := all_containers[_]
       }
 
-      volumes[pod.spec.volumes[_]]
+      volumes contains pod.spec.volumes[_]
     rego: |-
       package container_deny_latest_tag