Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wish/gatekeeper

Verify Kubernetes configuration files against custom rules
https://github.com/wish/gatekeeper

golang jsonnet kubernetes

Last synced: 4 days ago
JSON representation

Verify Kubernetes configuration files against custom rules

Host: GitHub
URL: https://github.com/wish/gatekeeper
Owner: wish
License: apache-2.0
Created: 2018-06-21T21:22:35.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2019-09-12T08:21:15.000Z (about 5 years ago)
Last Synced: 2024-09-26T00:58:53.590Z (8 days ago)
Topics: golang, jsonnet, kubernetes
Language: Go
Homepage:
Size: 39.1 KB
Stars: 11
Watchers: 5
Forks: 3
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Gatekeeper

[![Build Status](https://travis-ci.org/wish/gatekeeper.svg?branch=master)](https://travis-ci.org/wish/gatekeeper)

[![Docker Repository on Quay](https://quay.io/repository/wish/gatekeeper/status "Docker Repository on Quay")](https://quay.io/repository/wish/gatekeeper)

`gatekeeper` is a tool for verifying Kubernetes configuration files against custom rules defined in a Jsonnet ruleset. It will return a list of errors it encounters while verifying the files.

```

$ gatekeeper -r sample/ruleset.jsonnet sample/service

1. Broken LT() rule: 

{

	"actual": 24,

	"expected": 20,

	"key": "spec.replicas",

	"path": "sample/service/sample.json",

	"rule_type": "allow"

}

```

## Building

First install [dep](https://github.com/golang/dep) and run `dep ensure`. Then run `make` to build a binary inside `$GOPATH/bin`.

```

$ dep ensure

$ make

```

## Ruleset Layout

Gatekeeper requires a jsonnet file that defines the rules you want to apply. The jsonnet file must be in the format of:

```

{

    ignore: ["somefile.yaml"],

    rules: [

        {

            regex: "file.json",

            kind: "Deployment",

            type: "allow",

            ruleTree: {

                ...

            }

        },

        ...

    ]

}

```

`ignore` contains filenames that gatekeeper will ignore.

`rules` is an array of rule objects. Each rule object has 4 required keys. 

`regex` matches the files that this rule will apply to. `gatekeeper` will check the regex on the filename of each file.

`kind` matches the kind of resources that this rule will apply to.

`type` can be either `allow` or `deny`. An allow rule will pass if no functions are broken. A deny rule will produce an error if any of the functions pass.

`ruleTree` defines the actual content of the rule in a json object. It follows the same layout as the resource kind that it's applied to. You can use ruleset functions to check the values of specific fields in the resource. See the sample ruleset.jsonnet for examples.

## Ruleset Functions

There are a variety of functions you can use in you ruleset jsonnet to check values in your Kubernetes configuration:

#### LT()

LT() is used to verify that the field in the configuration is less than the specified number

```

...

    spec: {

        replicas: LT(3)

    }

...

```

#### GT()

GT() is used to verify that the field in the configuration is greater than the specified number

```

...

    spec: {

        replicas: GT(0)

    }

...

```

#### EQ()

EQ() is used to verify that the field in the configuration is equal to the specified value

```

...

    metadata: {

        name: EQ("service")

    }

...

```

#### AND()

AND() is used to verify that both of its child functions are valid.

```

...

    spec: {

        replicas: AND(GT(0), LT(30))

    }

...

```

#### OR()

OR() is used to verify that at least one of its child functions are valid

```

...

    metadata: {

        name: OR(EQ("serviceA"), EQ("serviceB"))

    }

...

```

#### NOT()

NOT() is used to verify that its child functions is not valid

```

...

    spec: {

        replicas: NOT(EQ(7))

    }

...

```

#### TAG()

TAG() is used to verify that all fields in the configuration with the same tag in their TAG() function has the same value

```

...

    metadata: {

        labels: {

            name: TAG("namespace")

        },

        name: TAG("namespace") 

    }

...

```

#### PATH()

PATH() is used to verify that the field in the configuration is equal to the section of the file path indicated by the index.

Verifying file /path/to/file:

```

...

    metadata: {

        name: PATH(0) //verify name == "file",

        name2: PATH(1) //verify name2 == "to",

        name3: PATH(2) //verify name3 == "path"

    }

...

```

## Contributing

If you would have any suggestions, improvements, or bugs please open issues [here](https://github.com/wish/gatekeeper/issues).

If you would like to contribute to gatekeeper, please make a pull request.