Skip to content

Instantly share code, notes, and snippets.

@rawc0der

rawc0der/conftest.sh

Created November 3, 2020 11:39
Show Gist options
  • Save rawc0der/c7019e97fae28bfc89a6478129132f20 to your computer and use it in GitHub Desktop.
Save rawc0der/c7019e97fae28bfc89a6478129132f20 to your computer and use it in GitHub Desktop.
Download ZIP
Common rego definitions for Conftest and Gatekeeper policies
Raw
conftest.sh
#!/bin/bash
conftest test -d ./lib/parameters.yaml -p ./lib/helpers.rego -p ./policies /k8s/resources
Raw
helpers.rego
package lib.helpers
import data.parameters
default is_gatekeeper = false
has_field(obj, field) {
obj[field]
}
is_gatekeeper {
has_field(input, "review")
has_field(input.review, "object")
}
object = input {
not is_gatekeeper
}
object = input.review.object {
is_gatekeeper
}
parameters = data.parameters {
not is_gatekeeper
}
parameters = input.parameters {
is_gatekeeper
}
review = input.review {
is_gatekeeper
}
review = {"object":input, "kind":kind} {
not is_gatekeeper
}
name = object.metadata.name
kind = object.kind
Raw
k8srequiredlabels.rego
package k8srequiredlabels
import data.lib.helpers
import data.lib.helpers.object
import data.lib.helpers.parameters
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | object.metadata.labels[label]}
required := {label | label := parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
Raw
parameters.yaml
parameters:
labels:
- app.kubernetes.io/managed-by: Helm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment