tl;dr: Test Kubernetes manifests for known production issues before deploying to production.
This repo contains Open Policy Agent policies for testing
Kubernetes manifests with conftest. The policies close the gap
between kubectl apply --dry-run --validate or kubeval, and the
Kubernetes API. These policies identify semantic validation issues
such as Deployment selector not matching template labels and higher
level best practices.
$ git clone [email protected]:ahawkins/opa-kubernetes.git
$ conftest test -p opa-kubernetes/policy your_manifests/*.yml
$ conftest test -p opa-kubernetes/policy -n combined your_manifests/*.yml
Goals:
- Identify manifest that may be rejected by the Kubernetes API
- Identify functional issues in manifests not identified by existing tools
- Enforce best practices
Applies to: Deployment, Job, CronJob
- WRK-01: containers set resource requests and limits
- WRK-02:
volumeMountmatchesvolume - WRK-03:
volumesare mounted
- DPL-01: containers set liveness and readiness probes
- DPL-02: selector matches template labels
- DPL-03: liveness and readiness probes match container port
- JOB-01: explicit
backoffLimitset
- SEC-01: base64 encoded secrets contain valid Base64 encoded keys
- HPA-01: Less minimum than maximum replicas
- CMB-01: container
envFrommatches aConfigMaporSecretin the manifests - CMB-02: volume from matches
ConfigMaporSecret - CMB-03:
Serviceselector matches aDeployment - CMB-04:
HorizontalPodAutoscalerscaling target matches aDeployment - CMB-05: Service port matches container port
- CMB-06: HPA managed deployment does not set replicas
Applies to: Deployment, Job, CronJob
Add a new acceptance test in test/ for the rule. Tests take valid
data then modify them with yq to break the rule. Tests assert that
the relevant conftest test command exists non-zero and outputs the
rule number.
$ task test:acceptance