Update README and remove kubeval

Author: yolken-segment

Dockerfile

@@ -34,7 +34,6 @@ RUN pip3 install awscli
 
 COPY --from=builder \
     /usr/local/bin/helm \
-    /usr/local/bin/kubeval \
     /usr/local/bin/kubectl \
     /usr/local/bin/kubeapply \
     /usr/local/bin/

Dockerfile.lambda

@@ -34,7 +34,6 @@ RUN pip3 install awscli
 COPY --from=builder \
     /usr/local/bin/aws-iam-authenticator \
     /usr/local/bin/helm \
-    /usr/local/bin/kubeval \
     /usr/local/bin/kubectl \
     /usr/local/bin/kubeapply \
     /usr/local/bin/

README.md

@@ -217,9 +217,14 @@ other source types use custom code in the `kubeapply` binary.
 
 #### Validate
 
-`kubeapply validate [path to cluster config]`
-
-This validates all of the expanded configs for the cluster using `kubeconform`.
+`kubeapply validate [path to cluster config] --policy=[path to OPA policy in rego format]`
+
+This validates all of the expanded configs for the cluster using the
+[`kubeconform`](https://github.com/yannh/kubeconform) library. It also, optionally, supports
+validating configs using one or more [OPA](https://www.openpolicyagent.org/) policies in
+rego format. The latter allows checking that configs satisfy organization-specific standards,
+e.g. that resource labels are in the correct format, that images are only pulled from the
+expected registries, etc.
 
 #### Diff
 

cmd/kubeapply/subcmd/check.go

@@ -30,9 +30,6 @@ func checkRun(cmd *cobra.Command, args []string) error {
 	if err := checkDep("kubectl", "version"); err != nil {
 		return err
 	}
-	if err := checkDep("kubeval", "--version"); err != nil {
-		return err
-	}
 
 	return nil
 }

examples/kubeapply-test-cluster/README.md

@@ -52,7 +52,7 @@ config or profile files.
 
 ##### (3) `make validate`
 
-Runs `kubeval` over the expanded configs to validate that they are legitimate Kubernetes
+Runs `kubeconform` over the expanded configs to validate that they are legitimate Kubernetes
 configs before continuing.
 
 ##### (4) `make diff`

scripts/create-lambda-bundle.sh

@@ -34,7 +34,6 @@ $REPO_ROOT/scripts/pull-deps.sh
 
 zip -r9 $OUTPUT_ZIP helm
 zip -r9 $OUTPUT_ZIP aws-iam-authenticator
-zip -r9 $OUTPUT_ZIP kubeval
 zip -r9 $OUTPUT_ZIP kubectl
 
 echo "Created bundle ${OUTPUT_ZIP}"

scripts/pull-deps.sh

@@ -9,9 +9,6 @@ HELM_SHA256_SUM="3fff0354d5fba4c73ebd5db59a59db72f8a5bbe1117a0b355b0c2983e98db95
 IAM_AUTHENTICATOR_VERSION="0.5.2"
 IAM_AUTHENTICATOR_SHA256_SUM="5bbe44ad7f6dd87a02e0b463a2aed9611836eb2f40d7fbe8c517460a4385621b"
 
-KUBEVAL_VERSION="0.15.0"
-KUBEVAL_SHA256_SUM="70bff2642a2886c0d9ebea452ffb81f333a956e26bbe0826fd7c6797e343e5aa"
-
 KUBECTL_VERSION="v1.20.2"
 KUBECTL_SHA512_SUM="e4513cdd65ed980d493259cc7eaa63c415f97516db2ea45fa8c743a6e413a0cdaf299d03dd799286cf322182bf9694204884bb0dd0037cf44592ddfa5e51f183"
 
@@ -32,11 +29,6 @@ wget -q -O aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-auth
 echo "${IAM_AUTHENTICATOR_SHA256_SUM} aws-iam-authenticator" | sha256sum -c
 chmod +x aws-iam-authenticator
 
-echo "Downloading kubeval at version ${KUBEVAL_VERSION}"
-wget -q https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/kubeval-${GOOS}-${GOARCH}.tar.gz
-echo "${KUBEVAL_SHA256_SUM} kubeval-${GOOS}-${GOARCH}.tar.gz" | sha256sum -c
-tar -xzf kubeval-${GOOS}-${GOARCH}.tar.gz
-
 echo "Downloading kubectl at version ${KUBECTL_VERSION}"
 wget -q https://dl.k8s.io/${KUBECTL_VERSION}/kubernetes-client-${GOOS}-${GOARCH}.tar.gz
 echo "${KUBECTL_SHA512_SUM} kubernetes-client-${GOOS}-${GOARCH}.tar.gz" | sha512sum -c