Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/plexsystems/konstraint

A policy management tool for interacting with Gatekeeper
https://github.com/plexsystems/konstraint

conftest gatekeeper kubernetes opa open-policy-agent policy rego

Last synced: 3 months ago
JSON representation

A policy management tool for interacting with Gatekeeper

Host: GitHub
URL: https://github.com/plexsystems/konstraint
Owner: plexsystems
License: mit
Created: 2019-09-13T03:02:46.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2024-05-13T23:41:20.000Z (8 months ago)
Last Synced: 2024-05-14T00:51:04.894Z (8 months ago)
Topics: conftest, gatekeeper, kubernetes, opa, open-policy-agent, policy, rego
Language: Go
Homepage:
Size: 1.21 MB
Stars: 374
Watchers: 8
Forks: 46
Open Issues: 7
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

awesome-policy-as-code - Konstraint - A policy management tool for interacting with Gatekeeper (Tools / Others)
awesome-repositories - plexsystems/konstraint - A policy management tool for interacting with Gatekeeper (Go)
awesome-k8s-resources - Konstraint - Konstraint is a CLI tool to assist with the creation and management of constraints when using Gatekeeper. (Tools and Libraries / Security and Compliance)
awesome-opa - Konstraint - CLI tool for working with templates and constraints when using Gatekeeper (Kubernetes / Built with Wasm)

README

# Konstraint

[![Go Report Card](https://goreportcard.com/badge/github.com/plexsystems/konstraint)](https://goreportcard.com/report/github.com/plexsystems/konstraint)
[![GitHub release](https://img.shields.io/github/release/plexsystems/konstraint.svg)](https://github.com/plexsystems/konstraint/releases)

![logo](images/logo.png)

Konstraint is a CLI tool to assist with the creation and management of templates and constraints when using [Gatekeeper](https://github.com/open-policy-agent/gatekeeper).

## Installation

```text
go install github.com/plexsystems/konstraint@latest
```

A docker image is also provided for each release:

```text
docker run -v $PWD:/konstraint ghcr.io/plexsystems/konstraint create /konstraint/examples
```

## Usage

To create the Gatekeeper resources, use `konstraint create `.

To generate the accompanying documentation, use `konstraint doc `.

Both commands support the `--output` flag to specify where to save the output. For more detailed usage documentation, see the [CLI Documentation](docs/cli/konstraint.md).

## Why this tool exists

### Automatically copy Rego to the ConstraintTemplate

When writing policies for Gatekeeper, the Rego must be added to [ConstraintTemplates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) in order for Gatekeeper to enforce the policy. This creates a scenario in which the Rego is written in a `.rego` file, and then copied into the ConstraintTemplate. When a change is needed to be made to the Rego, both instances must be updated.

### Automatically update all ConstraintTemplates with library changes

Gatekeeper supports importing _libraries_ into `ConstraintTemplates` with the `libs` field. If a change is required to the imported library, every template must be updated to include this new change.

### Enable writing the same policies for Conftest and Gatekeeper

With Gatekeeper, policies are evaluated in the context of an [AdmissionReview](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-request-and-response). This means that policies are typically written with a prefix of `input.review.object`.

With [Conftest](https://github.com/open-policy-agent/conftest), policies are written against `yaml` files.

This creates a scenario where the policy needs to be written differently depending upon the context in which the policy is being evaluated in.

### Kubernetes Libraries

In the [examples/lib](examples/lib) directory, there are multiple libraries that enable policies to be written for both Conftest and Gatekeeper.

You can include as little or as many of these libraries into your policies as desired.

#### Purpose

By first validating the Kubernetes manifests with `Conftest` on a local machine, we can catch manifests that would otherwise violate policy without needing to deploy to a cluster running Gatekeeper.

## FAQ

**Konstraint ran without error, but I don't see any new files.**

This typically means no policies were found, or the policies did not have any `violation[]` rules, so they are not compatible with Gatekeeper.

For more information, see [How Constraints are Created](docs/constraint_creation.md).

**My ConstraintTemplates are missing the input parameters**

Input parameters can be specified by using one or more `@parameter ` tags in the comment header block. If you use input parameters, Konstraint will skip generating the `Constraint` resource for that policy.

For more information, see [Using Input Parameters](docs/constraint_creation.md#using-input-parameters).