Add tests for data validation

Add policices written in [rego](https://www.openpolicyagent.org/docs/latest/policy-language/) that validate kubernetes resources configuration of the community infrastructure. Only the ingresses resources are covered. THis is heavily inspired from https://github.com/deliveryhero/helm-charts/tree/master/ci/helm-conftest-policies. [conftest](https://github.com/open-policy-agent/conftest) will be against those policies. Ref: kubernetes#1734 Signed-off-by: Arnaud Meukam <[email protected]>
ameukam · Mar 4, 2021 · fb8becc · fb8becc
1 parent 71591c3
commit fb8becc
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/policies/base.rego b/policies/base.rego
@@ -0,0 +1,10 @@
+package main 
+
+import data.kubernetes
+
+apiversion = input.apiversion
+
+warn[msg] {
+    kubernetes.is_ingress
+    msg = sprintf("Found ingress %s", [apiversion])
+}
diff --git a/policies/deprecations.rego b/policies/deprecations.rego
@@ -0,0 +1,21 @@
+package main
+
+warn[msg] {
+  input.apiVersion == "v1"
+  input.kind == "List"
+  obj := input.items[_]
+  msg := _warn with input as obj
+}
+
+warn[msg] {
+  input.apiVersion != "v1"
+  input.kind != "List"
+  msg := _warn
+}
+
+# Ingress resources extensions/v1beta1 will no longer be served from in v1.20. Migrate use to the networking.k8s.io/v1beta1 API, available since v1.14.
+_warn = msg {
+  input.apiVersion == "extensions/v1beta1"
+  input.kind == "Ingress"
+  msg := sprintf("%s/%s: API extensions/v1beta1 for Ingress is deprecated from Kubernetes 1.14, use networking.k8s.io/v1beta1 instead.", [input.kind, input.metadata.name])
+}
diff --git a/policies/kubernetes.rego b/policies/kubernetes.rego
@@ -0,0 +1,14 @@
+
+package kubernetes
+
+is_service {
+    input.kind = "Service"
+}
+
+is_deployment {
+    input.kind = "Deployment"
+}
+
+is_ingress {
+    input.kind = "Ingress"
+}