Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Unit testing Kubernetes configs using Open Policy Agent and Conftest

Gareth Rushgrove
July 25, 2019
Technology
2
680

Unit testing Kubernetes configs using Open Policy Agent and Conftest

Quick introduction to Conftest for the Kubernetes community weekly meeting.

Gareth Rushgrove

July 25, 2019
Tweet

More Decks by Gareth Rushgrove

See All by Gareth Rushgrove
GTM vs Open Source
garethr
0
590
Software Build of Materials For Cloud Native applications
garethr
1
300
Evolving vulnerabilities in CycloneDX
garethr
0
220
Configuration security is a developer problem
garethr
2
1.8k
Patterns for secure container base image management
garethr
1
1.7k
Testing configuration with Open Policy Agent
garethr
0
400
Building a Docker Image Packaging Pipeline Using GitHub Actions
garethr
4
1.7k
The perils of configuration security
garethr
1
170
Shifting Terraform security left
garethr
3
1.4k

Other Decks in Technology

See All in Technology
Invitation to K8s-Docs ja
nasa9084
0
140
リアルとデジタルをつなぐ、Web3社会実装への取り組み
sbtechnight
PRO
0
390
Snyk の紹介 〜セキュリティの Shift Left を目指す〜
toshiaizawa
0
110
最先端の質問応答技術の研究開発と迅速な実用化ーStudio Ousiaでの取り組みー
ikuyamada
2
470
軟體品質不只測試: LINE QA團隊分享
line_developers_tw
PRO
0
5k
様々な環境へコマンドラインツールを提供する上での苦労とその対策 / YAPC::Kyoto 2023
konboi
0
2.3k
ビギナー向け エッジランタイムのすすめ | エッジランタイムを意識した開発をはじめよう
aiji42
1
520
AstroNvim を使おう!
ybrliiu
0
110
ITエンジニアとして大切にしている3つのこと
korodroid
1
300
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
120
自動運転レベル4解禁にあたり求められる遠隔監視技術
sbtechnight
PRO
0
550
QMファンネルとQAキャリア
gen519
PRO
1
140

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Teambox: Starting and Learning
jrom
124
7.9k
Writing Fast Ruby
sferik
613
58k
Bash Introduction
62gerente
602
210k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
7.2k
The Invisible Side of Design
smashingmag
292
49k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
GraphQLの誤解/rethinking-graphql
sonatard
39
8k
Thoughts on Productivity
jonyablonski
50
2.8k
Clear Off the Table
cherdarchuk
79
290k
A Modern Web Designer's Workflow
chriscoyier
689
180k
The Brand Is Dead. Long Live the Brand.
mthomps
48
3k

Transcript

  1. Unit testing Kubernetes configs
    Using Open Policy Agent and Conftest

    View Slide

  2. Open Policy Agent is
    normally used here
    Development cycle
    Cluster
    Local
    development
    Continuous
    integration

    View Slide

  3. For example...

    View Slide

  4. What if we could use Open
    Policy Agent here as well?
    Development cycle
    Cluster
    Local
    development
    Continuous
    integration

    View Slide

  5. Introducing Conftest
    snyk.io

    View Slide

  6. apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: hello-kubernetes
    spec:
    replicas: 3
    selector:
    matchLabels:
    app: hello-kubernetes
    template:
    metadata:
    labels:
    app: hello-kubernetes
    spec:
    containers:
    - name: hello-kubernetes
    image: paulbouwer/hello-kubernetes:1.5
    ports:
    Given a Kubernetes config file

    View Slide

  7. package main
    deny[msg] {
    input.kind = "Deployment"
    not input.spec.template.spec.securityContext.runAsNonRoot = true
    msg = "Containers must not run as root"
    }
    deny[msg] {
    input.kind = "Deployment"
    not input.spec.selector.matchLabels.app
    msg = "Containers must provide app label for pod selectors"
    }
    Write your policies

    View Slide

  8. deny[msg] {
    input.kind = "Deployment"
    not input.spec.template.spec.securityContext.runAsNonRoot = true
    msg = "Containers must not run as root"
    }
    Rego? A DSL for policy
    We should deny any input for which
    Deployment is the value for kind
    and
    When runAsNonRoot is set to false

    View Slide

  9. $ conftest test deployment.yaml
    deployment.yaml
    Containers must not run as root
    $ echo $status
    1
    Run tests with conftest

    View Slide

  10. // Where should we eat at
    // KubeCon in San Diego?
    {
    "restaurants": [
    "Campfire",
    "Galaxy Taco",
    "Olive Garden",
    "Dija Mara",
    "Mikkeller",
    "Wrench and Rodent"
    ]
    }
    Not just K8s
    package main
    deny["Nice try Lachlan"] {
    input.restaurants[_] = "Olive Garden"
    }
    Currently supports HCL, TOML,
    YAML, JSON, CUE and INI

    View Slide

  11. Demo

    View Slide

  12. Join in
    snyk.io
    - Join the #conftest channel on the Open Policy
    Agent Slack at slack.openpolicyagent.org
    - Download or hack on Conftest at
    github.com/instrumenta/conftest

    View Slide