Need to check docs on how to tell gatekeeper not to look at core namespaces, i.e.: openshift-*

track the github-actions repo for conftestbats so we don't need to use @garethahealy 's dodgy repo/branch

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

We currently have:

• deny
• warn

But there's also 'violation'. I've googled but can't find a link that explains the different root level "types" and when/why you'd use them.

If anyone finds a link, please share.

Interested to see others thoughts on whether we should add examples to test our policies against. Seems like it could be a bit of overhead involved, but feels like a bit of context would also make them a bit more useful.

write tests for gatekeeper

• remove konstraint ignore
• write gatekeeper tests, and check they work

Gatekeeper doesn't support k8s memory units yet, needs: https://github.com/open-policy-agent/opa/pull/2403/files

Once it's merged:

• remove konstraint ignore
• remove skip in gatekeeper tests, and check they work

dora-metrics/pelorus#148

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s_ocp-deployment_deploymentconfig-bestpractices.rego#L182-L192

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s_ocp-deployment_deploymentconfig-bestpractices.rego#L276-L287

conftest supports --data - see if we can provide the data.inventory for these policies so they can be tested locally

Currently, all the policies live in the package main as that's what the OPA examples tell you. But if you look at "real world" examples in gatekeeper, they are all in their own packages. I presume this is so multiple policies don't fire for one constraint - not 100% sure.

If we did update the packages to be unique per policy, it would make the testing easier as their would be no cross-firing of rules, i.e.: 1 rule fires against its own test data, vs currently, all rules fire against 1 set of test data.

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s_ocp-deployment_deploymentconfig-bestpractices.rego#L60-L72

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s-deployment-conftestcombine-bestpractices.rego#L27-L47

Gatekeeper supports looking at cached data, should explore that with conftest combine

• https://github.com/open-policy-agent/gatekeeper/blob/1c99315f63f1f7529378b66e2244c0e1171aa8ed/README.md#replicating-data

• remove konstraint ignore

• remove skip in gatekeeper tests, and check they work

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s-namespace-conftestcombine-bestpractices.rego#L3-L21

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

How should a new or updated policy be tested to verify it does the right thing?
This will also be helpful for reviewing PRs and can be used for CI as well.

• https://github.com/redhat-cop/rego-policies/blob/master/policy/ocp/deprecated/4_2/operatorsources-v1/src.rego
• https://github.com/redhat-cop/rego-policies/blob/master/policy/ocp/deprecated/4_2/catalogsourceconfigs-v1/src.rego

both do the same check - should be merged.

@InfoSec812 hit an issue where the container name in the triggers was not the same as in the containers, causing the trigger to never fire, which led to lots of confusion

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s_ocp-all-bestpractices.rego#L3-L27

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Each warn has four lines repeated, let's consider turning them into some kinda util or loaded thing. Could do it as a function too.

https://www.openpolicyagent.org/docs/latest/policy-language/#imports

#30

FYI @garethahealy

Investigate if it's possible to hookup the data from the below operator to deny images that are bad:

• https://operatorhub.io/operator/project-quay-container-security-operator

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

We've got a script which will deploy gatekeeper:
https://github.com/redhat-cop/rego-policies/blob/master/_test/deploy-gatekeeper.sh

and a script which will test it:
https://github.com/redhat-cop/rego-policies/blob/master/_test/gatekeeper-integrationtests.sh

but no prow/ci to execute.

@pabrahamsson ; is it possible to get the bot hooked up with prow to execute the above?

OPA Gatekeeper suggests a structure:

• https://github.com/open-policy-agent/gatekeeper/tree/master/library

which konstraint also uses:

• https://github.com/plexsystems/konstraint#how-template-and-constraint-naming-works

I am thinking it is a good idea to follow that.

cc @tylerauerbeck @pabrahamsson @springdo

Look into:

• https://www.openpolicyagent.org/docs/latest/policy-performance/#profiling

Could this be added as part of the CI?

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

Policy: https://github.com/redhat-cop/rego-policies/tree/master/policy/ocp/bestpractices/container-image-unknownregistries
Example: https://github.com/redhat-cop/helm-charts/blob/master/charts/dev-ex-dashboard/templates/deploymentconfig.yaml#L29

It should ignore/skip over this.

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s_ocp-deployment_deploymentconfig-bestpractices.rego#L36-L46

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

@pabrahamsson ; you good to enable the bot?

current tests are looking for a given sha to be in the imaga layer history. This policy is a great start but to be super useful across multiple projects, it would be better if we could pass in the SHA's to check against.

#33

FYI
@garethahealy @noelo

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s_ocp-deployment_deploymentconfig-bestpractices.rego#L74-L94

https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-v1beta1-crds

Once we finalize some of the initial version of our policies, we should look to set up automation to start publishing them to ArtifactHub

similar to the checking image total size, policy for each layer could be useful warning

I think it would be a good idea to trigger other repos ci which contain conftest. As raised by:

• #63

It would be good to know that this repo doesn't break other repos. It will also improve the reliability of this repo overall.

Current repos with conftest:

• https://github.com/redhat-cop/containers-quickstarts
• https://github.com/redhat-cop/container-pipelines
• https://github.com/redhat-cop/openshift-templates
• https://github.com/redhat-cop/helm-charts
• https://github.com/redhat-cop/pelorus

The changes required are described here:

• https://blog.marcnuri.com/triggering-github-actions-across-different-repositories

Since the bot has access to these repos, I'd guess that would be the best "person" to get a token off.

@pabrahamsson ; thoughts?

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: https://github.com/redhat-cop/rego-policies/blob/0.0.1/policy/warn-k8s_ocp-deployment_deploymentconfig-bestpractices.rego#L3-L34

• open-policy-agent/gatekeeper#739
• https://github.com/open-policy-agent/gatekeeper/blob/97c8f8e1daecd650dbe822f45d1191c45546ec69/pkg/webhook/policy.go#L75

I started working on creating a rego policy for this - https://learnk8s.io/production-best-practices#governance

As I know lots of people are looking at this stuff now, to avoid duplicated effort lets capture some issues for policies we think could be good to write. I've started with this one

FYI
@ckavili @noelo @garethahealy @jtudelag

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

konstraint has changed the doc format, so need to update our stuff