You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ kubectl conftest -h
A Kubectl plugin for using Conftest to test objects in Kubernetes using Open Policy Agent
See https://github.com/instrumenta/conftest for more information
Usage:
kubectl conftest (TYPE[.VERSION][.GROUP] [NAME] | TYPE[.VERSION][.GROUP]/NAME)
You can use the same syntax as kubectl get to grab lists or individual resources, and then have conftest apply policy against them.
$ kubectl conftest service
Found service hello-kubernetes but services are not allowed
Found service kubernetes but services are not allowed
I reason this is useful for auditing an existing cluster. Especially useful if you have opinions encoded in Rego, and someone has just given you a new cluster to manage. It's also useful when writing policies, as you can easily test it against your real cluster and not just mocked data.
I proposed this to the Krew index, kubernetes-sigs/krew-index#146, but that raised a larger conversation about what the Krew folks want in the index.
Opening this issue to track taking the PoC and making a more robust plugin. I'm imagining that as another standalone Go binary, reusing much of the Conftest code. This is a probably a good place to look at the public Conftest library interface too.
The text was updated successfully, but these errors were encountered:
I build a proof of concept
kubectl
plugin for conftest, which can be found here https://github.com/instrumenta/conftest/tree/master/plugin. I'll let folks read the one liner in there to understand why I say proof of concept :)It works as follows:
You can use the same syntax as
kubectl get
to grab lists or individual resources, and then have conftest apply policy against them.I reason this is useful for auditing an existing cluster. Especially useful if you have opinions encoded in Rego, and someone has just given you a new cluster to manage. It's also useful when writing policies, as you can easily test it against your real cluster and not just mocked data.
I proposed this to the Krew index, kubernetes-sigs/krew-index#146, but that raised a larger conversation about what the Krew folks want in the index.
Opening this issue to track taking the PoC and making a more robust plugin. I'm imagining that as another standalone Go binary, reusing much of the Conftest code. This is a probably a good place to look at the public Conftest library interface too.
The text was updated successfully, but these errors were encountered: