Business Problem:

Customer would like to have a policy that can alert when a Deployment has a specific label.

Use Cases:

Desired behavior:
ACS Policy will trigger a violation when
EITHER
(1) Deployment DOES NOT have the label abc.com/product-code
OR
(2) Deployment DOES have the label abc.com/product-code with the value "undefined"

Current behavior:
(1) Can be accomplished with a required label criteria
(2) Can NOT be accomplished with policy criteria, because there is no "Disallowed Deployment Label" criteria

Workaround:
Create TWO policies:
(1) One that uses the required label for abc.com/product-code to identify deployments that are missing the label.
(2) One that creates an automatic violation (require a label that will never exist, for example), and use the Inclusion Scope with a label of abc.com/product-code : undefined to limit application to deployments that have that "disallowed" label.

The best solution for the desired behavior is to add "Disallowed Label" as a Deployment metadata policy criteria.

Key Functionality:

Add Disallowed label to Deployment metadata policy criteria.

Allow user to specify Key and/or Value for Deployment labels, supporting regular expressions.

ACS will indicate a violation for Deployments that contain a label that meets the criteria.

Benefits:

This __ gives customers more flexibility with defining ACS policies and identifying Deployments that violate customer policies

Acceptance criteria:

Customer can create an ACS policy that will trigger a violation when a Deployment has a label that matches the specified criteria, using regular expressions for the key and/or value.

Implementation Suggestions (optional):

• Mirror the functionality of the Disallowed annotation and Diasallow image label criteria

Timeline:

ASAP