GithubHelp home page GithubHelp logo

rkhozinov / conftest Goto Github PK

View Code? Open in Web Editor NEW

This project forked from open-policy-agent/conftest

0.0 2.0 0.0 1.98 MB

Write tests against structured configuration data using the Rego query language

License: Other

HCL 2.24% Dockerfile 6.90% Makefile 3.10% Shell 17.82% Go 69.94%

conftest's Introduction

Conftest

What

conftest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, or Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.

conftest relies on the Rego language from Open Policy Agent for writing the assertions. You can read more about Rego in How do I write policies in the Open Policy Agent documentation.

Usage

conftest allows you to write policies using Open Policy Agent/rego and apply them to one or more YAML or JSON configuration files. Policies by default should be placed in a directory called policy but this can be overridden.

For instance, save the following as policy/deployment.rego:

package main


deny[msg] {
  input.kind = "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot = true
  msg = "Containers must not run as root"
}

deny[msg] {
  input.kind = "Deployment"
  not input.spec.selector.matchLabels.app
  msg = "Containers must provide app label for pod selectors"
}

By default Conftest looks for deny and warn rules in the main namespace. This can be altered by running --namespace or provided on the configuration file.

Assuming you have a Kubernetes deployment in deployment.yaml you can run conftest like so:

$ conftest test deployment.yaml
deployment.yaml
   Containers must not run as root
   Deployments are not allowed

conftest can also be used with stdin:

$ cat deployment.yaml | conftest test -
deployment.yaml
   Containers must not run as root
   Deployments are not allowed

Note that conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration file using YAML or JSON.

Examples

You can find examples using various other tools in the examples directory, including:

Configuration and external policies

Policies are often reusable between different projects, and Conftest supports a mechanism to specify dependent policies and to download them. The format reuses the Bundle defined by Open Policy Agent.

You can download individual policies directly:

conftest pull instrumenta.azurecr.io/test

Policies are stored in OCI-compatible registries. You can read more about this idea in this post.

If you have a compatible OCI registry you can also push new policy bundles like so:

conftest push instrumenta.azurecr.io/test

Conftest also supports a simple configuration file which can be used to store the list of dependent bundles and download them in one go. Create a conftest.toml configuration file like the following:

# You can override the directory in which to store and look for policies
policy = "tests"

# You can overide the namespace which to search for rules
namespace = "conftest"

# An array of individual policies to download. Only the repository
# key is required. If tag is omitted then latest will be used
[[policies]]
repository = "instrumenta.azurecr.io/test"
tag = "latest"

With that in place you can use the following command to download all specified policies:

conftest update

If you want to download the latest policies and run the tests in one go you can do so with:

conftest test --update <file-to-test>

Installation

conftest releases are available for Windows, macOS and Linux on the releases page. On Linux and macOS you can probably download as follows:

$ wget https://github.com/instrumenta/conftest/releases/download/v0.4.2/conftest_0.4.2_Linux_x86_64.tar.gz
$ tar xzf conftest_0.4.0_Linux_x86_64.tar.gz
$ sudo mv conftest /usr/local/bin

Brew

If you're on a Mac and using Homebrew you can use:

brew tap instrumenta/instrumenta
brew install conftest

Scoop

You can also install using Scoop on Windows:

scoop bucket add instrumenta https://github.com/instrumenta/bucket-instrumenta
scoop install conftest

Docker

Conftest is also able to be used via Docker. Simply mount your configuration and policy at /project and specify the relevant command like so:

$ docker run --rm -v (pwd):/project instrumenta/conftest test deployment.yaml
deployment.yaml
   Containers must not run as root in Deployment hello-kubernetes

Inspiration

conftest's People

Contributors

garethr avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.