Slide 57
Slide 57 text
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
securityContext:
runAsNonRoot: true
containers:
- name: nginx
image: nginx:1.20.0
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.20.0
57 Copyright © 2021, Oracle and/or its affiliates
GitOps
2.CI&GitOps
CI & CD Security
Conftest
package main
deny[msg] {
input.kind == "Pod"
not input.spec.securityContext.runAsNonRoot
msg := "Containers must not run as root !!"
}
policy/check-runAsNonRoot.rego
opa/pod.yaml
$ conftest test opa
FAIL - opa/pod.yaml - Containers must not run as root !!
1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions
「runAsNonRoot」が設定されていなければ、
「Containers must not run as root !!」を返す定義をRegoで記述
Conftest GitHub https://github.com/open-policy-agent/conftest
Policy Language https://www.openpolicyagent.org/docs/latest/policy-language/
OK
NG
1 test, 1 passed, 0 warnings, 0 failures, 0 exceptions
OK
NG