Complete reference for the PolicyDomain YAML schema.
A PolicyDomain is defined in YAML with the following top-level structure:
apiVersion: iamlite.manetu.io/v1beta1
kind: PolicyDomain
metadata:
name: string
spec:
policy-libraries: []
policies: []
roles: []
groups: []
resource-groups: []
resources: []
scopes: []
operations: []
mappers: []
apiVersion: iamlite.manetu.io/v1beta1
Supported versions: v1alpha3, v1alpha4, v1beta1
| Feature | v1alpha3 | v1alpha4 | v1beta1 |
|---|---|---|---|
resources section | Not available | Available | Available |
selector in operations | Optional | Required | Required |
selector in mappers | Optional | Required | Required |
| Native annotation values | No | No | Yes |
In v1beta1, annotation values can be specified as native YAML instead of JSON-encoded strings:
# v1alpha4 - JSON-encoded strings
annotations:
- name: count
value: "42"
- name: tags
value: '["a", "b"]'
# v1beta1 - Native YAML values
annotations:
- name: count
value: 42
- name: tags
value:
- a
- b
The PolicyEngine supports two related document kinds:
| Kind | Description |
|---|---|
PolicyDomain | Complete bundle with inline Rego code |
PolicyDomainReference | Development format that references external .rego files |
PolicyDomainReference is a superset of PolicyDomain designed for development workflows. The key differences:
| Aspect | PolicyDomain | PolicyDomainReference |
|---|---|---|
| Rego code | Inline rego field only | Either rego (inline) or rego_filename (external file) |
| Use case | Deployment, runtime | Development, source control |
| Kubernetes Operator | Supported (Premium) | Must convert first |
Which format should I use?
For development: Use PolicyDomainReference with rego_filename to keep Rego code in separate .rego files. This enables IDE syntax highlighting, easier testing, and cleaner diffs in version control.
For deployment: Use PolicyDomain with inline rego. Convert from PolicyDomainReference using mpe build.
Community users: All tooling (mpe test, mpe serve, Go API) accepts both formats. Choose based on your workflow preference.
Premium users: The Kubernetes Operator requires PolicyDomain format. Develop in either format, but run mpe build before deployment.
Use mpe build to convert PolicyDomainReference to PolicyDomain:
# Convert reference format to deployment format
mpe build -f policy-domain-ref.yaml -o policy-domain.yaml
The build process:
rego_filename reference.rego file contentrego_filename with inline regokind from PolicyDomainReference to PolicyDomainSee mpe build for details.
metadata:
name: my-domain-name
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique identifier for the domain |
| Section | Description |
|---|---|
| policy-libraries | Reusable Rego code |
| policies | Access control policies |
| roles | Identity-to-policy mappings |
| groups | Group-to-role mappings |
| resource-groups | Resource-to-policy mappings |
| resources | Resource selector-based routing (v1alpha4+) |
| scopes | Access-method constraint policies |
| operations | Operation routing |
| mappers | Input transformation |
All entities use MRN for identification:
mrn:<type>:<namespace>:<class>:<instance>
Examples:
mrn:iam:policy:adminmrn:iam:role:developermrn:app:myservice:resource-group:defaultUse YAML anchors for reference:
policies:
- mrn: &my-policy "mrn:iam:policy:my-policy"
name: my-policy
rego: |
package authz
default allow = true
roles:
- mrn: "mrn:iam:role:admin"
name: admin
policy: *my-policy # Reference
apiVersion: iamlite.manetu.io/v1beta1
kind: PolicyDomain
metadata:
name: example-domain
spec:
policy-libraries:
- mrn: &utils "mrn:iam:library:utils"
name: utils
rego: |
package utils
match_any(patterns, value) {
glob.match(patterns[_], [], value)
}
policies:
- mrn: &allow-all "mrn:iam:policy:allow-all"
name: allow-all
rego: |
package authz
default allow = true
- mrn: &read-only "mrn:iam:policy:read-only"
name: read-only
rego: |
package authz
default allow = false
allow { input.operation == "read" }
- mrn: &main "mrn:iam:policy:main"
name: main
dependencies:
- *utils
rego: |
package authz
import data.utils
default allow = 0 # Tri-level: negative=DENY, 0=GRANT, positive=GRANT Override
allow = -1 { input.principal == {} } # DENY
roles:
- mrn: "mrn:iam:role:admin"
name: admin
policy: *allow-all
annotations:
- name: access_level
value: admin # v1beta1: native string value
groups:
- mrn: "mrn:iam:group:admins"
name: admins
roles:
- "mrn:iam:role:admin"
resource-groups:
- mrn: &rg-default "mrn:iam:resource-group:default"
name: default
default: true
policy: *allow-all
- mrn: &rg-sensitive "mrn:iam:resource-group:sensitive"
name: sensitive
policy: *read-only
resources:
- name: sensitive-data
description: "Sensitive data requiring read-only access"
selector:
- "mrn:data:sensitive:.*"
- "mrn:secret:.*"
group: *rg-sensitive
annotations:
- name: classification
value: HIGH # v1beta1: native string value
- name: retention_days
value: 365 # v1beta1: native number value
scopes:
- mrn: "mrn:iam:scope:api"
name: api
policy: *allow-all
operations:
- name: api
selector:
- ".*"
policy: *main
mappers:
- name: http
selector:
- ".*"
rego: |
package mapper
porc := {
"principal": input.claims,
"operation": input.operation,
"resource": input.resource,
"context": input
}
Can you improve this documentation?Edit on GitHub
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |