add page for CEL support (#213)

* add page for CEL support

* add page for CEL support

* add page for CEL support

* add page for CEL support

* add page for CEL support

* add page for CEL support

* add page for CEL support

* add page for CEL support

Author: hadar-co

docs/custom-rules/cel-support/index.mdx

@@ -0,0 +1,55 @@
+---
+title: CEL support
+slug: /custom-rules/cel-support
+---
+
+Datree supports writing custom rules in the [CEL](https://github.com/google/cel-spec) language, by utilizing a custom JSON Schema keyword.
+
+:::info Supported version
+Writing custom rules in CEL is supported in CLI version [1.9.19](https://github.com/datreeio/datree/releases/tag/1.9.19) and above.
+:::
+
+## Required properties
+
+In addition to the basic [required format](/custom-rules/custom-rules-overview#rule-format), a CEL custom rule has the following requirements:
+
+- The `schema` property **must** have a property named `CELDefinition`, which is an array of items.
+- Each item **must** have a property named `expression` that contains the logic of the rule written in CEL. Within the expression, use `object` to reference the resource being evaluated (see example below).
+- Each item **may** have a property named `message`, which specifies what print when the expression is violated.
+
+:::tip Online CEL validation
+Ensure the validity of your CEL expressions by testing them against resources using an [online CEL playground](https://playcel.undistro.io/).
+:::
+
+#### Example:
+
+The following schema requires that resources of kind `ServiceAccount` have the `automountServiceAccountToken` property set to `false`:  
+
+```yaml
+schema:
+  CELDefinition:
+    - expression: "object.kind != 'ServiceAccount' || (has(object.automountServiceAccountToken) && object.automountServiceAccountToken == false)"
+      message: "ServiceAccounts must have automountServiceAccountToken set to false" # `message` is optional
+```
+
+---
+
+### Constraints
+
+In the above example, the constraint `object.kind != 'ServiceAccount'` is a part of the CEL logic.  
+You can also write such a constraint in JSON schema and write the rest of the logic using CEL:
+
+```yaml
+schema:
+  # Constraint - enforce rule only on `ServiceAccount` resources
+  if:
+    properties:
+      kind:
+        enum:
+          - ServiceAccount
+  then:
+    CELDefinition:
+      - expression: "has(object.automountServiceAccountToken) && object.automountServiceAccountToken == false"
+```
+
+#### For more examples, including a complete custom rules YAML, see the [examples page](/custom-rules/examples).

docs/custom-rules/custom-rules-overview/index.mdx

@@ -6,7 +6,7 @@ slug: /custom-rules/custom-rules-overview
 In addition to Datree's built-in rules, you can also write your own rules and add them to your policies.  
 The custom rule engine is based on [JSON Schema](https://json-schema.org/), so it supports both YAML and JSON declarative syntax.
 
-Custom rules can be written directly in **JSON Schema** or in [**Rego**](/custom-rules/rego-support).
+Custom rules can be written directly in **JSON Schema**, in [**Rego**](/custom-rules/rego-support), or in [CEL](/custom-rules/cel-support).
 
 :::info Note
 Note that using custom rules is possible only when in [Policy as code](/dashboard/policy-as-code) mode.
@@ -34,7 +34,7 @@ Every custom rule must have the following properties:
 - **identifier** - a unique ID to associate with a policy.
 - **name** [OPTIONAL] - a title that will be shown in Datree's output when a rule fails.
 - **defaultMessageOnFailure** [OPTIONAL] - a message that is shown when the property `policies.name[].rules.messageOnFailure` is empty (unique to each identifier).
-- **schema** - a custom rule logic written in JSON Schema (as YAML) or in [Rego](/custom-rules/rego-support).
+- **schema** - a custom rule logic written in JSON Schema (as YAML), in [Rego](/custom-rules/rego-support), or in [CEL](/custom-rules/cel-support).
 
 ### Policies file format
 
@@ -78,3 +78,4 @@ The provided examples are written in YAML schema, but custom rules can also be s
 - [Online YAML Schema validator](https://yamlschemavalidator.datree.io/)
 - [Online JSON Schema validator](https://www.jsonschemavalidator.net/)
 - [Online Rego validator](https://play.openpolicyagent.org/)
+- [Online CEL validator](https://playcel.undistro.io/)

docs/custom-rules/examples/index.mdx

@@ -3,7 +3,7 @@ title: Examples
 slug: /custom-rules/examples
 ---
 
-Here you will find examples for custom rules and common use-cases when writing policy enforcement logic, using both **JSON schema** and **Rego**.
+Here you will find examples for custom rules and common use-cases when writing policy enforcement logic, using **JSON schema**, **Rego**, and **CEL**.
 
 To see an example of a ready-to-publish custom rules YAML, [skip ahead](/custom-rules/examples#full-custom-rule-examples).
 
@@ -147,6 +147,43 @@ regoDefinition:
     }
 ```
 
+---
+
+## CEL
+
+### Ensure resource name of a certain kind begins with a specific prefix
+
+The following schema ensures all Deployments have a configured name that begins with `exmpl-`:
+
+```yaml
+if:
+  properties:
+    kind:
+      enum:
+        - Deployment
+then:
+  CELDefinition: 
+    - expression: "object.metadata.name.startsWith("exmpl-")"
+      message: "Deployments must have a name that begins with `exmpl-`" # `message` is optional
+```
+
+### Ensure a resource has a property with a specific value
+
+The following schema ensures all containers in a Pod have a configured `securityContext.readOnlyRootFilesystem` set to `true`:
+
+```yaml
+if:
+  properties:
+    kind:
+      enum:
+        - Pod
+then:
+  CELDefinition: 
+    - expression: "object.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.readOnlyRootFilesystem) &&  container.securityContext.readOnlyRootFilesystem == true)"
+      message: "Containers must have a read-only root filesystem" # `message` is optional
+```
+
+
 ---
 
 ## Full custom rule examples
@@ -255,3 +292,44 @@ customRules:
             labelIsMissing := helpers.check_if_missing(missing)
             }
 ```
+
+### CEL
+
+This example has two custom rules written in CEL and added to the policy `Default`:
+
+```yaml
+apiVersion: v1
+policies:
+  - name: Default
+    rules:
+      - identifier: CUSTOM_DEPLOYMENT_NAME_PREFIX
+        messageOnFailure: Deployments must have a name that begins with `exmpl-`
+      - identifier: CUSTOM_CONTAINERS_READ_ONLY_ROOT_FILESYSTEM
+        messageOnFailure: Containers must have a read-only root filesystem
+customRules:
+  - identifier: CUSTOM_DEPLOYMENT_NAME_PREFIX
+    name: Ensure Deployment has a valid name [CUSTOM RULE]
+    defaultMessageOnFailure: Deployments must have a name that begins with `exmpl-`
+    schema:
+      if:
+        properties:
+          kind:
+            enum:
+              - Deployment
+      then:
+        CELDefinition: 
+          - expression: "object.metadata.name.startsWith("exmpl-")"
+            message: "Deployments must have a name that begins with `exmpl-`"
+  - identifier: CUSTOM_CONTAINERS_READ_ONLY_ROOT_FILESYSTEM
+    name: Ensure Pod containers have a read-only root filesystem [CUSTOM RULE]
+    defaultMessageOnFailure: Containers must have a read-only root filesystem
+    schema:
+      if:
+        properties:
+          kind:
+            enum:
+              - Pod
+      then:
+        CELDefinition: 
+          - expression: "object.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.readOnlyRootFilesystem) &&  container.securityContext.readOnlyRootFilesystem == true)"
+```

docs/custom-rules/rego-support/_category_.json

@@ -185,6 +185,7 @@ const sidebars = {
       items: [
         "custom-rules/custom-rules-overview/index",
         "custom-rules/rego-support/index",
+        "custom-rules/cel-support/index",
         "custom-rules/examples/index",
         "custom-rules/multiple-property-paths/index",
         "custom-rules/resource-quotas/index",