A community-owned library of policies for the OPA Gatekeeper project.
You can use kustomize to install some or all of the templates alongside your own contraints.
First, create a kustomization.yaml
file:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- github.com/open-policy-agent/gatekeeper-library/library
# You can optionally install a subset by specifying a subfolder, or specify a commit SHA
# - github.com/open-policy-agent/gatekeeper-library/library/pod-security-policy?ref=0c82f402fb3594097a90d15215ae223267f5b955
- constraints.yaml
Then define your constraints in a file called constraints.yaml
in the same directory. Example constraints can be found in the "samples" folders.
You can install everything with kustomize build . | kubectl apply -f -
.
More information can be found in the kustomization documentation.
Instead of using kustomize, you can directly apply the template.yaml
and constraint.yaml
provided in each directory under library/
For example
cd library/general/httpsonly/
kubectl apply -f template.yaml
kubectl apply -f samples/ingress-https-only/constraint.yaml
kubectl apply -f library/general/httpsonly/sync.yaml # optional: when GK is running with OPA cache
The suite.yaml
files define test cases for each ConstraintTemplate in the library.
Changes to gatekeeper-library ConstraintTemplates may be tested with the gator CLI:
gatekeeper-library$ gator test ./...
The gator CLI may be downloaded from the Gatekeeper releases page.
If you have a policy you would like to contribute, please submit a pull request. Each new policy should contain:
- A constraint template named
src/<policy-name>/constraint.tmpl
with adescription
annotation and the parameter structure, if any, defined inspec.crd.spec.validation.openAPIV3Schema
. The template is rendered using gomplate. - One or more sample constraints, each with an example of an allowed (
example_allowed.yaml
) and disallowed (example_disallowed.yaml
) resource underlibrary/<policy-name>/samples/<policy-name>
kustomization.yaml
andsuite.yaml
underlibrary/<policy-name>
- The rego source, as
src.rego
and unit tests assrc_test.rego
in the corresponding subdirectory undersrc/<policy-name>
- policy code and tests are maintained in
src/<policy-name>/src.rego
andsrc/<policy-name>/src_test.rego
make generate
will generatelibrary/<policy-name>/template.yaml
fromsrc/<policy-name>/src.rego
using gomplate.- run all tests with
./test.sh
- run single test with
opa test src/<folder>/src.rego src/<folder>/src_test.rego --verbose
- print results with
trace(sprintf("%v", [thing]))