ccheck is a command line application for writing tests against configuration files and data using the rego query language. It's intended purpose is for checking kubernetes config files (.json or .yaml) but can be extended to support other file types.
The ccheck binary checks for rego rules of the form deny_<rule_name> and warn_<rule_name> during its evaluation process. If a resource matches a "deny" rule, a failure will be issued, otherwise a "warning" will be logged to the command line. An example of a valid, well-formed ccheck config is as follows:
Example .rego file
package main
is_hpa {
input.kind = "HorizontalPodAutoscaler"
}
# checks that we do not include any horizontal pod autoscalers
deny_no_hpa[msg] {
not is_hpa
msg = sprintf("%s must not include any Horizontal Pod AutoScalers", [input.metadata.name])
}
# checks that apps do not live in the default namespace
warn_no_default_namespace[msg] {
not input.metadata.namespace = "default"
msg = sprintf("%s should not be configured to live in the default namespace", [input.metadata.name])N.B. As an added bonus you can also use ccheck rules as policies in the Open Policy Agent Admission Controller
ccheck can then be invoked using this policy via:
ccheck -p <policy directory> <files to check....>For example using the following file:
Example Kubernetes .yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
---
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: nginx
namespace: default
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50Will produce the following output:
Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers
brendanjryan@Brendans-MacBook-Pro:~/projects/ccheck|Full Example:
If you would like to see ccheck in action - this project bundles this example in its source as well. Just clone this project and run:
./ccheck -p example/policies example/test.yaml
Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers-
Why use
regoinstead of another declarative language likehcl?Although
regois a very new and domain specific language, it's simple grammar and extensibility were the main motivators in using it instead of a more popular declarative language or framework. As an added bonus, you can re-use your policies declared inregoright out of the box in kubernetes admission controllers powered by Open Policy Agent