Unit testing Kubernetes configs Using Open Policy Agent and Conftest

Open Policy Agent is normally used here Development cycle Cluster Local development Continuous integration

For example...

What if we could use Open Policy Agent here as well? Development cycle Cluster Local development Continuous integration

Introducing Conftest snyk.io

apiVersion: apps/v1 kind: Deployment metadata: name: hello-kubernetes spec: replicas: 3 selector: matchLabels: app: hello-kubernetes template: metadata: labels: app: hello-kubernetes spec: containers: - name: hello-kubernetes image: paulbouwer/hello-kubernetes:1.5 ports: Given a Kubernetes config file

package main deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot = true msg = "Containers must not run as root" } deny[msg] { input.kind = "Deployment" not input.spec.selector.matchLabels.app msg = "Containers must provide app label for pod selectors" } Write your policies

deny[msg] { input.kind = "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot = true msg = "Containers must not run as root" } Rego? A DSL for policy We should deny any input for which Deployment is the value for kind and When runAsNonRoot is set to false

$ conftest test deployment.yaml deployment.yaml Containers must not run as root $ echo $status 1 Run tests with conftest

// Where should we eat at // KubeCon in San Diego? { "restaurants": [ "Campfire", "Galaxy Taco", "Olive Garden", "Dija Mara", "Mikkeller", "Wrench and Rodent" ] } Not just K8s package main deny["Nice try Lachlan"] { input.restaurants[_] = "Olive Garden" } Currently supports HCL, TOML, YAML, JSON, CUE and INI

Demo

Join in snyk.io - Join the #conftest channel on the Open Policy Agent Slack at slack.openpolicyagent.org - Download or hack on Conftest at github.com/instrumenta/conftest