Conftest Kubectl plugin

[garethr]

I build a proof of concept kubectl plugin for conftest, which can be found here https://github.com/instrumenta/conftest/tree/master/plugin. I'll let folks read the one liner in there to understand why I say proof of concept :)

It works as follows:

$ kubectl conftest -h
A Kubectl plugin for using Conftest to test objects in Kubernetes using Open Policy Agent

See https://github.com/instrumenta/conftest for more information

Usage:
   kubectl conftest (TYPE[.VERSION][.GROUP] [NAME] | TYPE[.VERSION][.GROUP]/NAME)

You can use the same syntax as kubectl get to grab lists or individual resources, and then have conftest apply policy against them.

$ kubectl conftest service
   Found service hello-kubernetes but services are not allowed
   Found service kubernetes but services are not allowed

I reason this is useful for auditing an existing cluster. Especially useful if you have opinions encoded in Rego, and someone has just given you a new cluster to manage. It's also useful when writing policies, as you can easily test it against your real cluster and not just mocked data.

I proposed this to the Krew index, kubernetes-sigs/krew-index#146, but that raised a larger conversation about what the Krew folks want in the index.

Opening this issue to track taking the PoC and making a more robust plugin. I'm imagining that as another standalone Go binary, reusing much of the Conftest code. This is a probably a good place to look at the public Conftest library interface too.

[garethr]

Superseded by work in #231