Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/np-guard/netpol-verify-gh-action
Checks a cluster's network connectivity against a set of corporate policies.
https://github.com/np-guard/netpol-verify-gh-action
connectivity kubernetes network network-analysis networking policies
Last synced: 14 days ago
JSON representation
Checks a cluster's network connectivity against a set of corporate policies.
- Host: GitHub
- URL: https://github.com/np-guard/netpol-verify-gh-action
- Owner: np-guard
- License: apache-2.0
- Created: 2021-08-19T12:51:57.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2022-01-04T09:00:20.000Z (about 3 years ago)
- Last Synced: 2024-12-22T19:06:59.179Z (about 2 months ago)
- Topics: connectivity, kubernetes, network, network-analysis, networking, policies
- Homepage:
- Size: 85 KB
- Stars: 3
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Verify cluster connectivity against corporate policies
## About
This action checks the connectivity in a given Kubernetes cluster against a set of corporate policies. It will first extract the cluster's connectivity graph by scanning your repository for YAML files containing endpoint resources (e.g., Deployments) or connectivity resources (Kubernetes NetworkPolicies). It will then verify that the connectivity graph adheres to a set of corporate policies, given as the action's input. Corporate policies are defined in YAML files; their syntax is defined [here](https://github.com/np-guard/baseline-rules).
This action is part of a wider attempt to provide [shift-left automation for generating and maintaining Kubernetes Network Policies](https://np-guard.github.io/).
## Inputs
### corporate-policies
A space-separated list of corporate policy files to verify (either as GitHub URLs or paths under GitHub workspace)
### deployment-path
(Optional) The path in the GitHub workspace where deployment yamls are. Default is . (scanning the whole repository).
### netpol-path
(Optional) The path in the GitHub workspace where the NetworkPolicy yamls are stored. Default is . (scanning the whole repository).
### output-format
(Optional) The format in which to output verifitaion results. Either "md" (default) or "txt".
## Outputs
### policy-results-artifact
The name of the artifact containing verification results for all policies
### policy-results-file
The name of the actual file in the artifact, which contains verification results for all policies
### num-violated-policies
The number of corporate policies which the cluster's connectivity graph violates
## Usage examples
### Run and fail if a policy is violated
Can be used to block a pull-request from being merged.
```yaml
name: verify-network-policies
on:
pull_request:
jobs:
verify-netpols:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Verify policies
id: verify-policies
uses: np-guard/netpol-verify-gh-action@v2
with:
corporate-policies: >
https://github.com/np-guard/baseline-rules/blob/master/examples/ciso_denied_ports.yaml
- run: exit ${{ steps.verify-policies.outputs.num-violated-policies }}
```
### Add policy verification results as a PR comment
```yaml
name: verify-network-policies
on:
pull_request:
jobs:
verify-netpols:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Verify policies
id: verify-policies
uses: np-guard/netpol-verify-gh-action@v2
with:
corporate-policies: >
https://github.com/np-guard/baseline-rules/blob/master/examples/ciso_denied_ports.yaml
https://github.com/np-guard/baseline-rules/blob/master/examples/restrict_access_to_payment.yaml
- uses: actions/download-artifact@v2
with:
name: ${{ steps.verify-policies.outputs.policy-results-artifact }}
- name: comment PR
run: gh pr comment ${{ github.event.number }} -F ${{ steps.verify-policies.outputs.policy-results-file }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
This should output something like this:
