Skip to content

A set of shared policies for use with Conftest and other Open Policy Agent tools

License

Notifications You must be signed in to change notification settings

instrumenta/policies

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Policies

Open Policy Agent is a powerful library, and with tools like Conftest, Gatekeeper and more it has many uses.

By focusing on shared policies we can lower the barrier to entry to using these tools, as well as make it easier to learn the Rego language.

An example

A good example of where this is useful is with Conftest, and it's ability to pull policies from external sources. Without being an expert in Rego, or needing to write any rules, it's possible to test your deployments with Conftest like so:

$ conftest test --update github.com/instrumenta/policies.git//kubernetes deployment+service.yaml
PASS - deployment+service.yaml - data.main.violation
FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes does not have a memory limit set
FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes does not have a CPU limit set
FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes doesn't drop all capabilities
FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes is not using a read only root filesystem
FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes allows priviledge escalation
FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes is running as root

Interested?

This repository is hopefully a staging ground to collect together some useful policies in one place. This is not a unique idea, and the community is actively discussing sharing and reuse at the moment.

If you're interested in shared policies for Open Policy Agent please join the conversation. Join us on the Open Policy Agent Slack in the #registry channel, as well as the #falco-opa-registry channel on the CNCF Slack.

About

A set of shared policies for use with Conftest and other Open Policy Agent tools

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published