Whats wrong with k8suniqueannotations logic inspired by k8suniquelabels

[laxmanvallandas]

Hello, Newbie in rego here.

Sample provided to create a namespace with unique labels works like a charm.
https://github.com/open-policy-agent/gatekeeper/blob/b7230e0bdc3479b867acd2fd0d7192b1182c59d4/demo/basic/templates/k8suniquelabel_template.yaml#L47

Provided example allows unique label to be configured across all namespaces. I tried to make similar change with few tweaks. Basically to allow unique annotation to be configured across all services.
Here is how my violation logic looks like in ConstraintTemplate:

    violation[{"msg": msg, "details": {"value": val, "annotation": annotation}}] {
      annotation := input.parameters.annotation
      val := input.review.object.metadata.annotations[annotation]
      cluster_objs := [o | o = data.inventory.cluster[_][_][_]; not identical_cluster(o, input.review)]
      ns_objs := [o | o = data.inventory.namespace[_][_][_][_]; not identical_namespace(o, input.review)]
      all_objs := array.concat(cluster_objs, ns_objs)
      all_values := {val | obj = all_objs[_]; val = obj.metadata.annotations[annotation]}
      count({val} - all_values) == 0
      msg := sprintf("annotation %v has duplicate value %v", [annotation, val])
    }

And a change has been made in spec.crd.spec.validation.openAPIV3Schema.properties.annotation(instead of label) and corresponding change has been made in object that this template creates(snippet below) and config is created with audit cache enabled.

spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
parameters:
annotation: external-dns.alpha.kubernetes.io/hostname
However, when I create a service 1 with annotation external-dns.alpha.kubernetes.io/hostname: mydomain.com and another service 2 with same annotation(key value pair). OPA doesn't deny it whereas the same logic works for labels for Namespace object. Any pointers that I could look into? Am more curious to know if the syntax used violation logic is right.

[laxmanvallandas]

Seems like I opened discussion in inaccurate category. closed and opened in Gatekeeper.

[laxmanvallandas]

Only to realise 30 seconds later that changing category is supported :)