https://github.com/instrumenta/policies

A set of shared policies for use with Conftest and other Open Policy Agent tools
https://github.com/instrumenta/policies

conftest open-policy-agent

Last synced: 3 months ago
JSON representation

A set of shared policies for use with Conftest and other Open Policy Agent tools

• Host: GitHub
• URL: https://github.com/instrumenta/policies
• Owner: instrumenta
• License: other
• Created: 2020-03-04T09:08:52.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2021-01-20T13:43:37.000Z (over 4 years ago)
• Last Synced: 2025-01-09T11:45:19.644Z (4 months ago)
• Topics: conftest, open-policy-agent
• Language: Open Policy Agent
• Size: 11.7 KB
• Stars: 67
• Watchers: 10
• Forks: 10
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Policies

Open Policy Agent is a powerful library, and with tools like [Conftest](https://github.com/instrumenta/conftest),

[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) and more it has many uses.

By focusing on shared policies we can lower the barrier to entry to using these tools, as well as make it easier to

learn the Rego language.

## An example

A good example of where this is useful is with Conftest, and it's ability to pull policies from external sources.

Without being an expert in Rego, or needing to write any rules, it's possible to test your deployments with Conftest like so:

```console

$ conftest test --update github.com/instrumenta/policies.git//kubernetes deployment+service.yaml

PASS - deployment+service.yaml - data.main.violation

FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes does not have a memory limit set

FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes does not have a CPU limit set

FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes doesn't drop all capabilities

FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes is not using a read only root filesystem

FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes allows priviledge escalation

FAIL - deployment+service.yaml - hello-kubernetes in the Deployment hello-kubernetes is running as root

```

## Interested?

This repository is hopefully a staging ground to collect together some useful policies in one place. This is not a unique idea,

and the community is actively discussing sharing and reuse at the moment.

If you're interested in shared policies for Open Policy Agent please join the conversation. Join us on the Open Policy Agent

Slack in the `#registry` channel, as well as the `#falco-opa-registry` channel on the [CNCF Slack](https://slack.cncf.io/).