Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Unit testing Kubernetes configs using Open Poli...

Unit testing Kubernetes configs using Open Policy Agent and Conftest

Quick introduction to Conftest for the Kubernetes community weekly meeting.

Gareth Rushgrove

July 25, 2019
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. What if we could use Open Policy Agent here as

    well? Development cycle Cluster Local development Continuous integration
  2. apiVersion: apps/v1 kind: Deployment metadata: name: hello-kubernetes spec: replicas: 3

    selector: matchLabels: app: hello-kubernetes template: metadata: labels: app: hello-kubernetes spec: containers: - name: hello-kubernetes image: paulbouwer/hello-kubernetes:1.5 ports: Given a Kubernetes config file
  3. package main deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot =

    true msg = "Containers must not run as root" } deny[msg] { input.kind = "Deployment" not input.spec.selector.matchLabels.app msg = "Containers must provide app label for pod selectors" } Write your policies
  4. deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot = true msg

    = "Containers must not run as root" } Rego? A DSL for policy We should deny any input for which Deployment is the value for kind and When runAsNonRoot is set to false
  5. // Where should we eat at // KubeCon in San

    Diego? { "restaurants": [ "Campfire", "Galaxy Taco", "Olive Garden", "Dija Mara", "Mikkeller", "Wrench and Rodent" ] } Not just K8s package main deny["Nice try Lachlan"] { input.restaurants[_] = "Olive Garden" } Currently supports HCL, TOML, YAML, JSON, CUE and INI
  6. Join in snyk.io - Join the #conftest channel on the

    Open Policy Agent Slack at slack.openpolicyagent.org - Download or hack on Conftest at github.com/instrumenta/conftest