{"id":22930673,"url":"https://github.com/kubewarden/safe-annotations-policy","last_synced_at":"2025-07-23T01:31:49.639Z","repository":{"id":41050279,"uuid":"394197071","full_name":"kubewarden/safe-annotations-policy","owner":"kubewarden","description":"Kubewarden policy that validates Kubernetes' resource annotations","archived":false,"fork":false,"pushed_at":"2025-07-18T08:44:36.000Z","size":1238,"stargazers_count":4,"open_issues_count":2,"forks_count":4,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-07-18T12:33:39.947Z","etag":null,"topics":["hacktoberfest","kubernetes","kubernetes-compliance","kubernetes-security","kubewarden-policy","policy-as-code","webassembly"],"latest_commit_sha":null,"homepage":"https://kubewarden.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubewarden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-08-09T07:40:41.000Z","updated_at":"2025-07-18T08:44:38.000Z","dependencies_parsed_at":"2023-11-06T02:33:38.305Z","dependency_job_id":"9dbeb1cd-bfb8-4c86-9cf7-046de5558f98","html_url":"https://github.com/kubewarden/safe-annotations-policy","commit_stats":{"total_commits":101,"total_committers":13,"mean_commits":7.769230769230769,"dds":0.6732673267326732,"last_synced_commit":"b99aac5fa731a58b9f453a50c5c704e308a87a91"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/kubewarden/safe-annotations-policy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fsafe-annotations-policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fsafe-annotations-policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fsafe-annotations-policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fsafe-annotations-policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubewarden","download_url":"https://codeload.github.com/kubewarden/safe-annotations-policy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fsafe-annotations-policy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266602700,"owners_count":23954694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","kubernetes","kubernetes-compliance","kubernetes-security","kubewarden-policy","policy-as-code","webassembly"],"created_at":"2024-12-14T10:29:16.233Z","updated_at":"2025-07-23T01:31:49.612Z","avatar_url":"https://github.com/kubewarden.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Kubewarden Policy Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)\n[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)\n\nThis policy validates the annotations of generic Kubernetes objects.\n\nThe policy rejects all the resources that use one or more annotations on the\ndeny list. The deny list is provided by at runtime via the policy configuration.\n\nThe policy allows users to put constraints on specific annotations. The constraints\nare expressed as regular expression and are provided via the policy settings.\n\nThe policy settings look like that:\n\n```yaml\n# List of annotations that cannot be used\ndenied_annotations:\n  - foo\n  - bar\n\n# List of annotations that must be defined\nmandatory_annotations:\n  - cost-center\n\n# Annotations that are validate with user-defined RegExp\n# Failing to comply with the RegExp resuls in the object\n# being rejected\nconstrained_annotations:\n  priority: \"[123]\"\n  cost-center: \"^cc-\\\\d+$\"\n```\n\n\u003e **Note well:** the regular expression must be expressed\n\u003e using [Go's syntax](https://golang.org/pkg/regexp/syntax/).\n\nGiven the configuration from above, the policy would reject the creation\nof this Pod:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n  name: nginx\n  annotations:\n    foo: hello world\nspec:\n  containers:\n    - name: nginx\n      image: nginx:latest\n```\n\nThe policy would also reject the creation of this Ingress resource:\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: minimal-ingress\n  annotations:\n    cost-center: cc-marketing\n    nginx.ingress.kubernetes.io/rewrite-target: /\nspec:\n  rules:\n    - http:\n        paths:\n          - path: /testpath\n            pathType: Prefix\n            backend:\n              service:\n                name: test\n                port:\n                  number: 80\n```\n\nPolicy's settings can also be used to force certain annotations to be specified,\nregardless of their contents:\n\n```yaml\n# Policy's settings\n\nconstrained_annotations:\n  mandatory-annotation: \".*\" # \u003c- this annotation must be present, we don't care about its value\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fsafe-annotations-policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubewarden%2Fsafe-annotations-policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fsafe-annotations-policy/lists"}