opa blog part2

rules.rego

# Rule: Check if the item submitted is a pod.
isPod {
    input.request.kind.kind == "Pod"
}

# Rule: Check if pod already has a `nodeSelector` set
hasNodeSelector {
    input.request.object.spec.nodeSelector
    count(input.request.object.spec.nodeSelector) > 0
}

# Rule: Given a namespace iterate through the `namespaceToAgentPool` array
# and return the value which the `agentpool` should be set to in the 
# node selector. 
getPoolForNamespace(namespace) = poolLabel {
    pool := namespaceToAgentPool[_]
    pool.namespace == namespace

    poolLabel := pool.agentpool
}


# Rule: Checks if the object is in a namespace we should process. 
shouldProcessForNamespace(ignored) {
    not contains(ignored, input.request.object.metadata.namespace)
}

# Rule: Helper to check if an array contains an instance of `item`
contains(items, item) {
    items[_] == item
}

# Data: Used to map namespace -> agentpools...
# Would be updated with more rules as the list grows
namespaceToAgentPool := [
    { "namespace": "default", "agentpool": "pool1"},
    { "namespace": "gpuwork", "agentpool": "gpu1"},
    { "namespace": "memintensivework", "agentpool": "highmem1"},
]

# Data: Namespaces which we should ignore when processing requests
# so we don't mess with any system pods etc. 
# todo// check not missing any
ignoredNamespaces := [
    "kube-node-lease",
    "kube-public",
    "kube-system",
    "opa"
]