• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    迪恩网络公众号

open-policy-agent/gatekeeper-library: The OPA Gatekeeper policy library.

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

open-policy-agent/gatekeeper-library

开源软件地址(OpenSource Url):

https://github.com/open-policy-agent/gatekeeper-library

开源编程语言(OpenSource Language):

Open Policy Agent 96.3%

开源软件介绍(OpenSource Introduction):

OPA Gatekeeper Library

A community-owned library of policies for the OPA Gatekeeper project.

Usage

kustomize

You can use kustomize to install some or all of the templates alongside your own contraints.

First, create a kustomization.yaml file:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- github.com/open-policy-agent/gatekeeper-library/library
# You can optionally install a subset by specifying a subfolder, or specify a commit SHA
# - github.com/open-policy-agent/gatekeeper-library/library/pod-security-policy?ref=0c82f402fb3594097a90d15215ae223267f5b955
- constraints.yaml

Then define your constraints in a file called constraints.yaml in the same directory. Example constraints can be found in the "samples" folders.

You can install everything with kustomize build . | kubectl apply -f -.

More information can be found in the kustomization documentation.

kubectl

Instead of using kustomize, you can directly apply the template.yaml and constraint.yaml provided in each directory under library/

For example

cd library/general/httpsonly/
kubectl apply -f template.yaml
kubectl apply -f samples/ingress-https-only/constraint.yaml
kubectl apply -f library/general/httpsonly/sync.yaml # optional: when GK is running with OPA cache

Testing

The suite.yaml files define test cases for each ConstraintTemplate in the library. Changes to gatekeeper-library ConstraintTemplates may be tested with the gator CLI:

gatekeeper-library$ gator verify ./...

The gator CLI may be downloaded from the Gatekeeper releases page.

How to contribute to the library

New policy

If you have a policy you would like to contribute, please submit a pull request. Each new policy should contain:

  • A constraint template named src/<policy-name>/constraint.tmpl with a description annotation and the parameter structure, if any, defined in spec.crd.spec.validation.openAPIV3Schema. The template is rendered using gomplate.
  • One or more sample constraints, each with an example of an allowed (example_allowed.yaml) and disallowed (example_disallowed.yaml) resource under library/<policy-name>/samples/<policy-name>
  • kustomization.yaml and suite.yaml under library/<policy-name>
  • The rego source, as src.rego and unit tests as src_test.rego in the corresponding subdirectory under src/<policy-name>

Development

  • policy code and tests are maintained in src/<policy-name>/src.rego and src/<policy-name>/src_test.rego
  • make generate will generate library/<policy-name>/template.yaml from src/<policy-name>/src.rego using gomplate.
  • run all tests with ./test.sh
  • run single test with opa test src/<folder>/src.rego src/<folder>/src_test.rego --verbose
  • print results with trace(sprintf("%v", [thing]))



鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap