# OPA v1

We recommend using OPA v2 policies. These instructions remain here for backward compatibility. For writing OPA v2 policies, refer to the Designing OPA policies documentation.

# Varying Action Item Attributes

The replicas.rego file would look like:

package fairwinds

replicasRequired[actionItem] {
  input.spec.replicas == 0
  actionItem := {
    "title": concat(" ", [input.kind, "does not have replicas set"]),
    "description": "All workloads at acme-co must explicitly set the number of replicas,
    "remediation": "Please set `spec.replicas`",
    "category": "Reliability",
  }
}

Next, we'd create two instances. deployments.yaml:

output:
  severity: 0.9
targets:
- apiGroups: ["apps"]
  kinds: ["Deployment"]

statefulSets.yaml:

output:
  severity: 0.4
targets:
- apiGroups: ["apps"]
  kinds: ["StatefulSet"]

# Restricting OPA Policies by Insights Context

Specifying a runEnvironments section in your Instance YAML will limit that OPA policy to the contexts selected:

runEnvironments:
- Admission
- Agent
targets:
- apiGroups: ["apps"]
  kinds: ["StatefulSet"]

# Varying Execution by Kubernetes Clusters

Specifying a clusters section in the instance YAML will only execute that OPA policy in those clusters:

clusters:
- us-east-1
targets:
- apiGroups: ["apps"]
  kinds: ["StatefulSet"]

# Variable Parameters

This rego uses a parameter defined separately in each instance YAML file:

package fairwinds

replicasRequired[actionItem] {
  input.spec.replicas < input.parameters.minReplicas
  actionItem := {
    "title": sprintf("%s does not have enough replicas set", [input.kind]),
    "description": "Workloads at acme-co must have minimum number of replicas",
    "remediation": "Please set `spec.replicas` appropriately",
    "category": "Reliability",
    severity: 0.2,
  }
}

deployments.yaml:

parameters:
  minReplicas: 3
targets:
- apiGroups: ["apps"]
  kinds: ["Deployment"]

statefulSets.yaml:

parameters:
  minReplicas: 1
targets:
- apiGroups: ["apps"]
  kinds: ["StatefulSet"]