Unit testing Kubernetes configs using Open Policy Agent and Conftest

Transcript

1. Unit testing Kubernetes configs Using Open Policy Agent and Conftest

2. Open Policy Agent is normally used here Development cycle Cluster

   Local development Continuous integration

3. For example...

4. What if we could use Open Policy Agent here as

   well? Development cycle Cluster Local development Continuous integration

5. Introducing Conftest snyk.io

6. apiVersion: apps/v1 kind: Deployment metadata: name: hello-kubernetes spec: replicas: 3

   selector: matchLabels: app: hello-kubernetes template: metadata: labels: app: hello-kubernetes spec: containers: - name: hello-kubernetes image: paulbouwer/hello-kubernetes:1.5 ports: Given a Kubernetes config file

7. package main deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot =

   true msg = "Containers must not run as root" } deny[msg] { input.kind = "Deployment" not input.spec.selector.matchLabels.app msg = "Containers must provide app label for pod selectors" } Write your policies

8. deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot = true msg

   = "Containers must not run as root" } Rego? A DSL for policy We should deny any input for which Deployment is the value for kind and When runAsNonRoot is set to false

9. $ conftest test deployment.yaml deployment.yaml Containers must not run as

   root $ echo $status 1 Run tests with conftest

10. // Where should we eat at // KubeCon in San

    Diego? { "restaurants": [ "Campfire", "Galaxy Taco", "Olive Garden", "Dija Mara", "Mikkeller", "Wrench and Rodent" ] } Not just K8s package main deny["Nice try Lachlan"] { input.restaurants[_] = "Olive Garden" } Currently supports HCL, TOML, YAML, JSON, CUE and INI

11. Demo

12. Join in snyk.io - Join the #conftest channel on the

    Open Policy Agent Slack at slack.openpolicyagent.org - Download or hack on Conftest at github.com/instrumenta/conftest