Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/brendanjryan/ccheck
A command line tool for validating Kubernetes configs with rego
https://github.com/brendanjryan/ccheck
cncf kubernetes opa rego test validation yaml
Last synced: 3 months ago
JSON representation
A command line tool for validating Kubernetes configs with rego
- Host: GitHub
- URL: https://github.com/brendanjryan/ccheck
- Owner: brendanjryan
- Created: 2019-07-08T21:13:06.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2019-07-18T18:31:21.000Z (over 5 years ago)
- Last Synced: 2024-07-31T07:17:02.043Z (6 months ago)
- Topics: cncf, kubernetes, opa, rego, test, validation, yaml
- Language: Go
- Homepage:
- Size: 13.7 KB
- Stars: 64
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome - ccheck - A command line tool for validating Kubernetes configs with rego (Go)
README
# `ccheck`
---`ccheck` is a command line application for writing tests against configuration files and data using the [`rego` query language](https://www.openpolicyagent.org/docs/latest). It's intended purpose is for checking kubernetes config files (`.json` or `.yaml`) but can be extended to support other file types.
## Usage
The `ccheck` binary checks for `rego` rules of the form `deny_` and `warn_` during its evaluation process. If a resource matches a `"deny"` rule, a failure will be issued, otherwise a `"warning"` will be logged to the command line. An example of a valid, well-formed `ccheck` config is as follows:
**Example `.rego file`**
```rego
package mainis_hpa {
input.kind = "HorizontalPodAutoscaler"
}# checks that we do not include any horizontal pod autoscalers
deny_no_hpa[msg] {
not is_hpa
msg = sprintf("%s must not include any Horizontal Pod AutoScalers", [input.metadata.name])
}# checks that apps do not live in the default namespace
warn_no_default_namespace[msg] {
not input.metadata.namespace = "default"
msg = sprintf("%s should not be configured to live in the default namespace", [input.metadata.name])
```**N.B.** As an added bonus you can also use `ccheck` rules as policies in the [Open Policy Agent Admission Controller](https://www.openpolicyagent.org/docs/latest/kubernetes-admission-control/#4-define-a-policy-and-load-it-into-opa-via-kubernetes)
`ccheck` can then be invoked using this policy via:
```bash
ccheck -p
```For example using the following file:
**Example Kubernetes `.yaml` file**
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80---
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: nginx
namespace: default
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
```Will produce the following output:
```bash
Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers
brendanjryan@Brendans-MacBook-Pro:~/projects/ccheck|
```**Full Example:**
If you would like to see `ccheck` in action - this project bundles this example in its source as well. Just `clone` this project and run:
```bash
./ccheck -p example/policies example/test.yaml
Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers
```## FAQ
- Why use `rego` instead of another declarative language like `hcl`?
Although `rego` is a very new and domain specific language, it's simple grammar and extensibility were the main motivators in using it instead of a more popular declarative language or framework. As an added bonus, you can re-use your policies declared in `rego` right out of the box in [kubernetes admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) powered by [Open Policy Agent](https://www.openpolicyagent.org/)
## Additional References
- [Rego language spec](https://www.openpolicyagent.org/docs/latest)
- [Open Policy Agent Project](https://www.openpolicyagent.org/)