-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Local testing of Kubernetes policies #1542
Comments
Would something like the example below work ? service.rego
service_test.rego
|
As I dig through it a little more, there does seem to be an introduction of wrapping the YML in an AdmissionReview |
@ashutosh-narkar which version of OPA is that? I'm on 0.12, which seems to be the latest and that gives me
I have not been able to use allow or deny in any of my statements. |
|
Ok, at its most basic form, I was able to get it to work. I can build from there.
I have some concerns around "admission" policies and kubernetes yaml policies. At first glance, they seem to differ, though they really shouldn't. In other words, if you submit a PR with service.yaml that contains valid kubernetes that contains Kind: Service, I'd want this policy to fail in my pipeline with Thanks for the help! |
The input that you see above is what OPA gets from the Kube API server when it's implemented as an admission controller. Are you looking for a policy that validates the Kube manifest itself and is not about admission control. Is that accurate ? |
That is exactly correct. My concern is that you'd have to have two policies that check the exact same thing. In other words, if I have an OPA policy that says "no services allowed", I'd want that policy to validate against my kubernetes manifest in my CI pipeline. But I'd also want that same policy running in my kubernetes cluster with the admission controller. Can OPA use the exact same policy to validate Kubernetes manifest itself and the result from an admission controller? I'd like to avoid duplicating every policy, one for CI/Kubernetes manifests, and one for the admission controller. |
One option would be to have multiple rules with the same name in your package. For ex,
So based on how the input looks (manifest validation vs admission control), the appropriate rule gets evaluated and returns the result. Whatever is the common logic can be factored out into rules/functions. |
Ok! This was similar to what I was theorizing. I know you can also do say..
|
Edit: running on OPA 0.12 , Windows 10
Version: 0.12.0
Build Commit: 64052c1
Build Timestamp: 2019-06-11T22:03:42Z
Build Hostname: 74e59ffe492b
Expected Behavior
opa test -v .
runs the tests and reports back successful when policies are abided byActual Behavior
OPA seems to always return false
Steps to Reproduce the Problem
Using https://play.openpolicyagent.org/p/MinNMtDjC4 as reference
The above snippet which was written by @ashutosh-narkar in #1529 does run due to
var deny is unsafe
Using any of the other examples online, I'm not able to pass in a simple fake Kubernetes JSON and have it be validated successfully by OPA
Additional Info
Taking inspiration from the playground..
services.rego
services_test.rego
results in
The text was updated successfully, but these errors were encountered: