Unit testing Kubernetes configs using Open Policy Agent and Conftest

Unit testing Kubernetes configs using Open Policy Agent and Conftest

Quick introduction to Conftest for the Kubernetes community weekly meeting.

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

July 25, 2019
Tweet

Transcript

  1. Unit testing Kubernetes configs Using Open Policy Agent and Conftest

  2. Open Policy Agent is normally used here Development cycle Cluster

    Local development Continuous integration
  3. For example...

  4. What if we could use Open Policy Agent here as

    well? Development cycle Cluster Local development Continuous integration
  5. Introducing Conftest snyk.io

  6. apiVersion: apps/v1 kind: Deployment metadata: name: hello-kubernetes spec: replicas: 3

    selector: matchLabels: app: hello-kubernetes template: metadata: labels: app: hello-kubernetes spec: containers: - name: hello-kubernetes image: paulbouwer/hello-kubernetes:1.5 ports: Given a Kubernetes config file
  7. package main deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot =

    true msg = "Containers must not run as root" } deny[msg] { input.kind = "Deployment" not input.spec.selector.matchLabels.app msg = "Containers must provide app label for pod selectors" } Write your policies
  8. deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot = true msg

    = "Containers must not run as root" } Rego? A DSL for policy We should deny any input for which Deployment is the value for kind and When runAsNonRoot is set to false
  9. $ conftest test deployment.yaml deployment.yaml Containers must not run as

    root $ echo $status 1 Run tests with conftest
  10. // Where should we eat at // KubeCon in San

    Diego? { "restaurants": [ "Campfire", "Galaxy Taco", "Olive Garden", "Dija Mara", "Mikkeller", "Wrench and Rodent" ] } Not just K8s package main deny["Nice try Lachlan"] { input.restaurants[_] = "Olive Garden" } Currently supports HCL, TOML, YAML, JSON, CUE and INI
  11. Demo

  12. Join in snyk.io - Join the #conftest channel on the

    Open Policy Agent Slack at slack.openpolicyagent.org - Download or hack on Conftest at github.com/instrumenta/conftest