Aggregates
| Function | Description | Meta |
|---|---|---|
|
Count takes a collection or string and returns the number of elements (or characters) in it. Arguments: Returns:collection (any<string, array[any], object[any: any], set[any]>)the set/array/object/string to be counted n (number)the count of elements, key/val pairs, or characters, respectively. | Wasm |
|
Returns the maximum value in a collection. Arguments: Returns:collection (any<array[any], set[any]>)the set or array to be searched n (any)the maximum of all elements | Wasm |
|
Returns the minimum value in a collection. Arguments: Returns:collection (any<array[any], set[any]>)the set or array to be searched n (any)the minimum of all elements | Wasm |
|
Multiplies elements of an array or set of numbers Arguments: Returns:collection (any<array[number], set[number]>)the set or array of numbers to multiply n (number)the product of all elements | Wasm |
|
Returns a sorted array. Arguments: Returns:collection (any<array[any], set[any]>)the array or set to be sorted n (array[any])the sorted array | Wasm |
|
Sums elements of an array or set of numbers. Arguments: Returns:collection (any<array[number], set[number]>)the set or array of numbers to sum n (number)the sum of all elements | Wasm |
Examples
count
count returns the number of elements in an array, set, or object, or the
number of runes in a string. It's the simplest building block for size-based
policy checks (e.g. "reject any Pod with more than 10 containers").
Counting items in a list
A common policy pattern is rejecting a request whose collection has too
many or too few items, e.g. an Ingress with no rules, or a Pod that asks
for more than n containers.
count works on arrays, sets, objects, and strings, so the same builtin
covers all four shapes.
package play
# An array
containers := ["nginx", "sidecar", "logger"]
container_count := count(containers)
# A set (duplicates don't count twice)
unique_ports := {80, 443, 80}
unique_port_count := count(unique_ports)
# An object (counts the keys)
labels := {
"app": "web",
"tier": "frontend",
"team": "platform",
}
label_count := count(labels)
# A string (counts the runes)
name := "kubernetes"
name_length := count(name)
# A typical guard: reject if the input has more containers than allowed.
deny contains msg if {
count(input.spec.containers) > 10
msg := sprintf("too many containers: %d", [count(input.spec.containers)])
}
{
"container_count": 3,
"containers": [
"nginx",
"sidecar",
"logger"
],
"deny": [],
"label_count": 3,
"labels": {
"app": "web",
"team": "platform",
"tier": "frontend"
},
"name": "kubernetes",
"name_length": 10,
"unique_port_count": 2,
"unique_ports": [
80,
443
]
}{
"spec": {
"containers": [
"nginx",
"sidecar"
]
}
}
{}
sum
sum adds up the elements of an array or set of numbers. A common use is
budgeting a quota across multiple Kubernetes resources from a single
admission policy.
Limiting total replicas across deployments
sum adds up the elements of an array or set of numbers. A common use is
budgeting a quota across multiple Kubernetes resources from a single
admission policy, e.g. capping the total replicas requested across the
deployments in a namespace.
package play
# Replicas requested by every Deployment in the input.
replicas := [d.spec.replicas | some d in input.deployments]
total_replicas := sum(replicas)
deny contains msg if {
total_replicas > input.budget
msg := sprintf(
"total replicas %d exceeds namespace budget of %d",
[total_replicas, input.budget],
)
}
{
"deny": [
"total replicas 12 exceeds namespace budget of 10"
],
"replicas": [
3,
4,
5
],
"total_replicas": 12
}{
"budget": 10,
"deployments": [
{
"spec": {
"replicas": 3
}
},
{
"spec": {
"replicas": 4
}
},
{
"spec": {
"replicas": 5
}
}
]
}
{}