package main
warn[msg] {
input.kind = "Deployment"
not input.spec.template.spec.securityContext.runAsNonRoot = true
msg = "Containers must not run as root"
}
not input.spec.selector.matchLabels.app
msg = "Containers must provide app label for pod selectors"