redhat-cop / rego-policies Goto Github PK
View Code? Open in Web Editor NEWRego policies collection
License: Apache License 2.0
Rego policies collection
License: Apache License 2.0
How should a new or updated policy be tested to verify it does the right thing?
This will also be helpful for reviewing PRs and can be used for CI as well.
Gatekeeper doesn't support k8s memory units yet, needs: https://github.com/open-policy-agent/opa/pull/2403/files
Once it's merged:
I started working on creating a rego policy for this - https://learnk8s.io/production-best-practices#governance
As I know lots of people are looking at this stuff now, to avoid duplicated effort lets capture some issues for policies we think could be good to write. I've started with this one
Once we finalize some of the initial version of our policies, we should look to set up automation to start publishing them to ArtifactHub
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
similar to the checking image total size, policy for each layer could be useful warning
konstraint has changed the doc format, so need to update our stuff
Each warn has four lines repeated, let's consider turning them into some kinda util or loaded thing. Could do it as a function too.
https://www.openpolicyagent.org/docs/latest/policy-language/#imports
FYI @garethahealy
Gatekeeper supports looking at cached data, should explore that with conftest combine
remove konstraint ignore
remove skip in gatekeeper tests, and check they work
I think it would be a good idea to trigger other repos ci which contain conftest. As raised by:
It would be good to know that this repo doesn't break other repos. It will also improve the reliability of this repo overall.
Current repos with conftest:
The changes required are described here:
Since the bot has access to these repos, I'd guess that would be the best "person" to get a token off.
@pabrahamsson ; thoughts?
We currently have:
But there's also 'violation'. I've googled but can't find a link that explains the different root level "types" and when/why you'd use them.
If anyone finds a link, please share.
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
conftest supports --data
- see if we can provide the data.inventory
for these policies so they can be tested locally
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
Look into:
Could this be added as part of the CI?
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
Need to check docs on how to tell gatekeeper not to look at core namespaces, i.e.: openshift-*
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
Investigate if it's possible to hookup the data from the below operator to deny images that are bad:
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
current tests are looking for a given sha to be in the imaga layer history. This policy is a great start but to be super useful across multiple projects, it would be better if we could pass in the SHA's to check against.
FYI
@garethahealy @noelo
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
Currently, all the policies live in the package main
as that's what the OPA examples tell you. But if you look at "real world" examples in gatekeeper, they are all in their own packages. I presume this is so multiple policies don't fire for one constraint - not 100% sure.
If we did update the packages to be unique per policy, it would make the testing easier as their would be no cross-firing of rules, i.e.: 1 rule fires against its own test data, vs currently, all rules fire against 1 set of test data.
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
@InfoSec812 hit an issue where the container name in the triggers was not the same as in the containers, causing the trigger to never fire, which led to lots of confusion
We've got a script which will deploy gatekeeper:
https://github.com/redhat-cop/rego-policies/blob/master/_test/deploy-gatekeeper.sh
and a script which will test it:
https://github.com/redhat-cop/rego-policies/blob/master/_test/gatekeeper-integrationtests.sh
but no prow/ci to execute.
@pabrahamsson ; is it possible to get the bot hooked up with prow to execute the above?
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
write tests for gatekeeper
@pabrahamsson ; you good to enable the bot?
Interested to see others thoughts on whether we should add examples to test our policies against. Seems like it could be a bit of overhead involved, but feels like a bit of context would also make them a bit more useful.
OPA Gatekeeper suggests a structure:
which konstraint also uses:
I am thinking it is a good idea to follow that.
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
track the github-actions repo for conftestbats so we don't need to use @garethahealy 's dodgy repo/branch
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.