Comments (6)
garethahealy
commented on June 2, 2024
1
@mbilel are you using the helper bats functions that this repo uses? or just the raw policies
from rego-policies.
garethahealy
commented on June 2, 2024
1
cool.
from rego-policies.
mbilel
commented on June 2, 2024
no I can't install bats in my environment, I a m using just the raw policies
from rego-policies.
garethahealy
commented on June 2, 2024
ok, that explains why. all of these policies are aimed to work on and off cluster (i.e.: conftest and gatekeeper). to do that, they target a single resource, i.e.: Deployment. so to get that to work, we pre-process k8s lists/ocp templates/helm charts to be a list of yaml resources.
by doing this, it simplifies how the policies work and makes testing both scenarios exactly the same.
so the long and short of it; if you want to use these policies as part of a CI/CD pipeline, you need to pre-process. if you want o use them via gatekeeper, they'll work as-is.
from rego-policies.
garethahealy
commented on June 2, 2024
also, your comment about not being able to install bats. the bats lib is just a bash file, so if you can:
- git clone
- source bashfile
then you can use the code which pre-processes the resources. see:
- https://github.com/redhat-cop/rego-policies/blob/master/_test/gatekeeper-integrationtests.sh#L41
- https://github.com/redhat-cop/bats-library/blob/master/src/yaml-json-manipulation.bash#L15
from rego-policies.
mbilel
commented on June 2, 2024
@garethahealy , Thank you for your responses,
Yes I want to include SAST controle in CI/CD pipelines.
I used yq to do the staff:
oc process -f ocp_template.yaml --param-file env.properties | yq eval -P '.items[] | splitDoc' - > splited_ocp_objects.yml
then
conftest test split_ocp_objects.yml --all-namespaces
from rego-policies.
Related Issues (20)
- Look into adding tests for inventory based via conftest --data
- Enforce a naming convention for resources
- create placeholder for tekton
- tekton: sar-demo HOT 2
- tekton: RBAC light HOT 1
- tekton: conftest task
- tekton: triggers policy: OpenID Connect authentication and authorization HOT 1
- k8s: podsecuritypolicy via OPA HOT 4
- improve gatekeeper tests
- cluster operators degraded HOT 1
- add schema validation to opa eval scripts HOT 11
- add an KinD action to ci
- ocp 4.8 operator.openshift.io/v1beta1 deprecated HOT 1
- deprek8ion repo is archived HOT 1
- OPA/Rego AND operator usage HOT 1
- Disable prow integration HOT 1
- konstraint create fails HOT 1
- Dependency Dashboard
- Add readme how to use Gatekeeper HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rego-policies.