PolicyDomain Schema
Complete reference for the PolicyDomain YAML schema.
Overview
A PolicyDomain is defined in YAML with the following top-level structure:
apiVersion: iamlite.manetu.io/v1beta1
kind: PolicyDomain
metadata:
name: string
spec:
policy-libraries: []
policies: []
roles: []
groups: []
resource-groups: []
resources: []
scopes: []
operations: []
mappers: []
API Version
apiVersion: iamlite.manetu.io/v1beta1
Supported versions: v1alpha3, v1alpha4, v1beta1
Version Differences
| Feature | v1alpha3 | v1alpha4 | v1beta1 |
|---|---|---|---|
resources section | Not available | Available | Available |
selector in operations | Optional | Required | Required |
selector in mappers | Optional | Required | Required |
| Native annotation values | No | No | Yes |
v1beta1 Native Annotations
In v1beta1, annotation values can be specified as native YAML instead of JSON-encoded strings:
# v1alpha4 - JSON-encoded strings
annotations:
- name: count
value: "42"
- name: tags
value: '["a", "b"]'
# v1beta1 - Native YAML values
annotations:
- name: count
value: 42
- name: tags
value:
- a
- b
Kind
The PolicyEngine supports two related document kinds:
| Kind | Description |
|---|---|
PolicyDomain | Complete bundle with inline Rego code |
PolicyDomainReference | Development format that references external .rego files |
PolicyDomain vs PolicyDomainReference
PolicyDomainReference is a superset of PolicyDomain designed for development workflows. The key differences:
| Aspect | PolicyDomain | PolicyDomainReference |
|---|---|---|
| Rego code | Inline rego field only | Either rego (inline) or rego_filename (external file) |
| Use case | Deployment, runtime | Development, source control |
| Kubernetes Operator | Supported (Premium) | Must convert first |
Which format should I use?
-
For development: Use
PolicyDomainReferencewithrego_filenameto keep Rego code in separate.regofiles. This enables IDE syntax highlighting, easier testing, and cleaner diffs in version control. -
For deployment: Use
PolicyDomainwith inlinerego. Convert fromPolicyDomainReferenceusingmpe build. -
Community users: All tooling (
mpe test,mpe serve, Go API) accepts both formats. Choose based on your workflow preference. -
Premium users: The Kubernetes Operator requires
PolicyDomainformat. Develop in either format, but runmpe buildbefore deployment.
Converting Between Formats
Use mpe build to convert PolicyDomainReference to PolicyDomain:
# Convert reference format to deployment format
mpe build -f policy-domain-ref.yaml -o policy-domain.yaml
The build process:
- Reads each
rego_filenamereference - Loads the external
.regofile content - Replaces
rego_filenamewith inlinerego - Changes
kindfromPolicyDomainReferencetoPolicyDomain
See mpe build for details.
Metadata
metadata:
name: my-domain-name
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique identifier for the domain |
Spec Sections
| Section | Description |
|---|---|
| policy-libraries | Reusable Rego code |
| policies | Access control policies |
| roles | Identity-to-policy mappings |
| groups | Group-to-role mappings |
| resource-groups | Resource-to-policy mappings |
| resources | Resource selector-based routing (v1alpha4+) |
| scopes | Access-method constraint policies |
| operations | Operation routing |
| mappers | Input transformation |
Common Fields
MRN (Manetu Resource Notation)
All entities use MRN for identification:
mrn:<type>:<namespace>:<class>:<instance>
Examples:
mrn:iam:policy:adminmrn:iam:role:developermrn:app:myservice:resource-group:default
YAML Anchors
Use YAML anchors for reference:
policies:
- mrn: &my-policy "mrn:iam:policy:my-policy"
name: my-policy
rego: |
package authz
default allow = true
roles:
- mrn: "mrn:iam:role:admin"
name: admin
policy: *my-policy # Reference
Full Example
apiVersion: iamlite.manetu.io/v1beta1
kind: PolicyDomain
metadata:
name: example-domain
spec:
policy-libraries:
- mrn: &utils "mrn:iam:library:utils"
name: utils
rego: |
package utils
match_any(patterns, value) {
glob.match(patterns[_], [], value)
}
policies:
- mrn: &allow-all "mrn:iam:policy:allow-all"
name: allow-all
rego: |
package authz
default allow = true
- mrn: &read-only "mrn:iam:policy:read-only"
name: read-only
rego: |
package authz
default allow = false
allow { input.operation == "read" }
- mrn: &main "mrn:iam:policy:main"
name: main
dependencies:
- *utils
rego: |
package authz
import data.utils
default allow = 0 # Tri-level: negative=DENY, 0=GRANT, positive=GRANT Override
allow = -1 { input.principal == {} } # DENY
roles:
- mrn: "mrn:iam:role:admin"
name: admin
policy: *allow-all
annotations:
- name: access_level
value: admin # v1beta1: native string value
groups:
- mrn: "mrn:iam:group:admins"
name: admins
roles:
- "mrn:iam:role:admin"
resource-groups:
- mrn: &rg-default "mrn:iam:resource-group:default"
name: default
default: true
policy: *allow-all
- mrn: &rg-sensitive "mrn:iam:resource-group:sensitive"
name: sensitive
policy: *read-only
resources:
- name: sensitive-data
description: "Sensitive data requiring read-only access"
selector:
- "mrn:data:sensitive:.*"
- "mrn:secret:.*"
group: *rg-sensitive
annotations:
- name: classification
value: HIGH # v1beta1: native string value
- name: retention_days
value: 365 # v1beta1: native number value
scopes:
- mrn: "mrn:iam:scope:api"
name: api
policy: *allow-all
operations:
- name: api
selector:
- ".*"
policy: *main
mappers:
- name: http
selector:
- ".*"
rego: |
package mapper
porc := {
"principal": input.claims,
"operation": input.operation,
"resource": input.resource,
"context": input
}