search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.62k stars 740 forks source link

Question: evaluate constraints on local files #540

Closed nniikkoollaaii closed 4 years ago

nniikkoollaaii commented 4 years ago

Hi, I would like to use the Gatekeeper project with it's constraint framework approach.

But I would like to have the ability to test my defined constraints againt local files.

With plain Rego I can define a policy regardless of whether input is a deployment.yaml or an AdmissionReview send by the API Server

Example:

check-registry.rego

deny[reason] {
  some container
  input_containers[container]
  not startswith(container.image, "internal.company/")
  reason := sprintf("image '%v' comes from untrusted registry", [container.image])
}

# kubernetes admission review for kind pod
input_containers[container] {
    container := input.request.object.spec.containers[_]
}

# kubernetes admission review for kind ???
input_containers[container] {
    container := input.request.object.spec.template.spec.containers[_]
}

# deployment manifest
input_containers[container] {
    input.kind = "Deployment"
    container := input.spec.template.spec.containers[_]
}

Is there a way to "opa eval ..." the defined constraints and constraint templates? Or is the only way to test my policies to apply them to a test cluster and try it out?

I wasn't able to find something in this direction on the internet.

Background: I want to give app developers the ability to check if their manifests follow company rules. With an easier way than check an internal wiki where policies are documentated or instead of look at error logs in their cicd pipeline figuring out what policy was not met

maxsmythe commented 4 years ago

For the git pipeline, I'd encourage you to look at the newly-announced kpt project, which would allow you to run a validation pipeline as a commit hook. High-level documentation for functions can be found here:

https://googlecontainertools.github.io/kpt/reference/fn/

For Gatekeeper specifically, this gatekeeper-validate kpt-function (implemented as a docker container), can be invoked from the shell:

https://googlecontainertools.github.io/kpt-functions-catalog/#validators

An example:

docker run -i -u $(id -u) -v $(pwd):/source gcr.io/kpt-functions/read-yaml -i /dev/null -d source_dir=/yaml_manifest_including_constraints_and_templates | docker run -i gcr.io/kpt-functions/gatekeeper-validate

nniikkoollaaii commented 4 years ago

@maxsmythe thank you very much for your solution

I think this should match my use case :)

I wasn't able to verify this because I got an error:

Error: 1 error occurred: templates["admission.k8s.gatekeeper.sh"]["registry"]:3: rego_parse_error: no match found
        violation[{"msg": msg, "details": {}}] { var container; input_containers[container]; not startswith(container.image, input.parameters.registry); assign(msg, sprintf("image '%v' comes from untrusted", [container.image])) }
                                                     ^

I found this issue in this project. I assumed I'm hitting the same problem.

I filled an issue over there.

Again thank you

maxsmythe commented 4 years ago

No problem!

I think the issue is that that kpt-function is based on an older version of Gatekeeper, I have a PR out to update it.