Skip to content

Clean up validation, add OPA support #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Apr 9, 2021
Merged

Clean up validation, add OPA support #37

merged 12 commits into from
Apr 9, 2021

Conversation

@yolken-segment
Copy link
Contributor

@yolken-segment yolken-segment commented Apr 9, 2021

Description

This change includes several updates to how kubeapply validate works:

  1. Switch from kubeval to kubeconform for schema validation; among other benefits, the latter can be used as a library, which means that users don't need to install anything extra to run validation checks.
  2. Support optional validation of configs using policies in OPA format; this allows checking organization-specific rules, e.g. that images are only pulled from organization-owned image registries, etc.

The second is not super-well documented yet and may have minor API changes in the future. The initial goal here is to get something basic in place that we can iterate on at at Segment. Later, if that iteration is successful, we can add more details to the README.

@yolken-segment yolken-segment requested review from Pryz and dk1027 April 9, 2021 20:07
dk1027
dk1027 approved these changes Apr 9, 2021
View reviewed changes
Copy link
Contributor

@dk1027 dk1027 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor comment on StatusOther --- maybe it should return an error/warning instead?

@Pryz
Copy link

Pryz commented Apr 9, 2021

Are we able to work with policies in CI ?

@yolken-segment
Copy link
Contributor Author

yolken-segment commented Apr 9, 2021
edited
Loading

@Pryz yup, that's coming in a follow-up. This change doesn't define any policies, it just adds the basic checking capability into kubeapply.

@yolken-segment yolken-segment merged commit bd5e6c9 into master Apr 9, 2021
@yolken-segment yolken-segment deleted the yolken-improve-validation branch April 9, 2021 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@Pryz Pryz Pryz approved these changes

@dk1027 dk1027 dk1027 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yolken-segment @Pryz @dk1027