Closed nniikkoollaaii closed 4 years ago
For the git pipeline, I'd encourage you to look at the newly-announced kpt project, which would allow you to run a validation pipeline as a commit hook. High-level documentation for functions can be found here:
https://googlecontainertools.github.io/kpt/reference/fn/
For Gatekeeper specifically, this gatekeeper-validate
kpt-function (implemented as a docker container), can be invoked from the shell:
https://googlecontainertools.github.io/kpt-functions-catalog/#validators
An example:
docker run -i -u $(id -u) -v $(pwd):/source gcr.io/kpt-functions/read-yaml -i /dev/null -d source_dir=/yaml_manifest_including_constraints_and_templates | docker run -i gcr.io/kpt-functions/gatekeeper-validate
@maxsmythe thank you very much for your solution
I think this should match my use case :)
I wasn't able to verify this because I got an error:
Error: 1 error occurred: templates["admission.k8s.gatekeeper.sh"]["registry"]:3: rego_parse_error: no match found
violation[{"msg": msg, "details": {}}] { var container; input_containers[container]; not startswith(container.image, input.parameters.registry); assign(msg, sprintf("image '%v' comes from untrusted", [container.image])) }
^
I found this issue in this project. I assumed I'm hitting the same problem.
I filled an issue over there.
Again thank you
No problem!
I think the issue is that that kpt-function is based on an older version of Gatekeeper, I have a PR out to update it.
Hi, I would like to use the Gatekeeper project with it's constraint framework approach.
But I would like to have the ability to test my defined constraints againt local files.
With plain Rego I can define a policy regardless of whether input is a deployment.yaml or an AdmissionReview send by the API Server
Example:
check-registry.rego
Is there a way to "opa eval ..." the defined constraints and constraint templates? Or is the only way to test my policies to apply them to a test cluster and try it out?
I wasn't able to find something in this direction on the internet.
Background: I want to give app developers the ability to check if their manifests follow company rules. With an easier way than check an internal wiki where policies are documentated or instead of look at error logs in their cicd pipeline figuring out what policy was not met