Skip to content

Commit 53542e5

Browse files
yolken-segmentyolken-segment
committed
Update README
1 parent 34b53c0 commit 53542e5

File tree

2 files changed

+24
-14
lines changed

2 files changed

+24
-14
lines changed

README.md

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -222,9 +222,7 @@ other source types use custom code in the `kubeapply` binary.
222222
This validates all of the expanded configs for the cluster using the
223223
[`kubeconform`](https://github.com/yannh/kubeconform) library. It also, optionally, supports
224224
validating configs using one or more [OPA](https://www.openpolicyagent.org/) policies in
225-
rego format. The latter allows checking that configs satisfy organization-specific standards,
226-
e.g. that resource labels are in the correct format, that images are only pulled from the
227-
expected registries, etc.
225+
rego format; see the "Experimental features" section below for more details.
228226

229227
#### Diff
230228

@@ -341,8 +339,20 @@ e.g. `file://path/to/my/file`. The outputs of each profile will be expanded into
341339
### OPA policy checks
342340

343341
The `kubeapply validate` subcommand now supports checking configs against policies in
344-
[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) format.
342+
[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) format. This can be helpful for
343+
enforcing organization-specific standards, e.g. that images need to be pulled from a particular
344+
private registry, that all labels are in a consistent format, etc.
345345

346+
To use this, write up your policies as `.rego` files as described in the OPA documentation and run
347+
the former subcommand with one or more `--policy=[path to policy]` arguments. By default, policies
348+
should be in the `com.segment.kubeapply` package. Denial reasons, if any, are returned by
349+
setting a `deny` variable with a set of denial reason strings. If this set is empty,
350+
`kubeapply` will assume that the config has passed all checks in the policy file.
351+
352+
If a denial reason begins with the string `warn:`, then that denial will be treated as a
353+
non-blocking warning as opposed to an error that causes validation to fail.
354+
355+
See [this unit test](/pkg/validation/policy_test.go) for some examples.
346356

347357
## Testing
348358

pkg/validation/policy_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ import (
1010

1111
const (
1212
denyPolicyStr = `
13-
package example
13+
package com.segment.kubeapply
1414
1515
deny[msg] {
1616
input.apiVersion == "badVersion"
@@ -28,7 +28,7 @@ deny[msg] {
2828
}`
2929

3030
allowPolicyStr = `
31-
package example
31+
package com.segment.kubeapply
3232
3333
default allow = true
3434
@@ -63,7 +63,7 @@ func TestPolicyChecker(t *testing.T) {
6363
policyModule: PolicyModule{
6464
Name: "testDenyPolicy",
6565
Contents: denyPolicyStr,
66-
Package: "example",
66+
Package: "com.segment.kubeapply",
6767
Result: "deny",
6868
},
6969
resource: MakeResource("test/path", []byte(goodVersionResourceStr), 0),
@@ -78,7 +78,7 @@ func TestPolicyChecker(t *testing.T) {
7878
policyModule: PolicyModule{
7979
Name: "testDenyPolicy",
8080
Contents: denyPolicyStr,
81-
Package: "example",
81+
Package: "com.segment.kubeapply",
8282
Result: "deny",
8383
ExtraFields: map[string]interface{}{
8484
"extraKey": "goodValue",
@@ -99,7 +99,7 @@ func TestPolicyChecker(t *testing.T) {
9999
policyModule: PolicyModule{
100100
Name: "testDenyPolicy",
101101
Contents: denyPolicyStr,
102-
Package: "example",
102+
Package: "com.segment.kubeapply",
103103
Result: "deny",
104104
ExtraFields: map[string]interface{}{
105105
"extraKey2": "warnValue",
@@ -120,7 +120,7 @@ func TestPolicyChecker(t *testing.T) {
120120
policyModule: PolicyModule{
121121
Name: "testDenyPolicy",
122122
Contents: denyPolicyStr,
123-
Package: "example",
123+
Package: "com.segment.kubeapply",
124124
Result: "deny",
125125
ExtraFields: map[string]interface{}{
126126
"extraKey": "extraBadValue",
@@ -142,7 +142,7 @@ func TestPolicyChecker(t *testing.T) {
142142
policyModule: PolicyModule{
143143
Name: "testDenyPolicy",
144144
Contents: denyPolicyStr,
145-
Package: "example",
145+
Package: "com.segment.kubeapply",
146146
Result: "deny",
147147
ExtraFields: map[string]interface{}{
148148
"extraKey": "extraBadValue",
@@ -166,7 +166,7 @@ func TestPolicyChecker(t *testing.T) {
166166
policyModule: PolicyModule{
167167
Name: "testAllowPolicy",
168168
Contents: allowPolicyStr,
169-
Package: "example",
169+
Package: "com.segment.kubeapply",
170170
Result: "allow",
171171
},
172172
resource: MakeResource("test/path", []byte(goodVersionResourceStr), 0),
@@ -181,7 +181,7 @@ func TestPolicyChecker(t *testing.T) {
181181
policyModule: PolicyModule{
182182
Name: "testAllowPolicy",
183183
Contents: allowPolicyStr,
184-
Package: "example",
184+
Package: "com.segment.kubeapply",
185185
Result: "allow",
186186
},
187187
resource: MakeResource("test/path", []byte(badVersionResourceStr), 0),
@@ -196,7 +196,7 @@ func TestPolicyChecker(t *testing.T) {
196196
policyModule: PolicyModule{
197197
Name: "testAllowPolicy",
198198
Contents: allowPolicyStr,
199-
Package: "example",
199+
Package: "com.segment.kubeapply",
200200
Result: "allow",
201201
},
202202
resource: MakeResource("test/path", []byte(""), 0),

0 commit comments

Comments
 (0)