Skip to content

/ gatekeeper-library

The OPA Gatekeeper policy library.

Apache-2.0 License
252 stars 102 forks
Star
Notifications
master
Switch branches/tags
1 branch 0 tags
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

@philsphicas @ritazh
philsphicas and ritazh Fix k8spsphostfilesystem path matching (#97)
3f73cca Aug 5, 2021
Fix k8spsphostfilesystem path matching (#97) 
This change updates the path matching logic to correctly handle "/",
which should match all paths.

Closes #96

Signed-off-by: Phil Sphicas <phil.sphicas@att.com>

Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
3f73cca

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github/workflows
update test matrix and dependencies (#94)
Jul 16, 2021
library
Fix k8spsphostfilesystem path matching (#97)
Aug 5, 2021
src
Fix k8spsphostfilesystem path matching (#97)
Aug 5, 2021
test
add mutation pod security policies (#72)
May 28, 2021
.gitignore
add type to openapischema (#95)
Jul 26, 2021
LICENSE
Initial commit
Jun 11, 2019
Makefile
update test matrix and dependencies (#94)
Jul 16, 2021
NOTICE
Add notice
Sep 11, 2020
README.md
streamline readme (#32)
Mar 12, 2021
test.sh
add testing (#33)
Dec 15, 2020
OPA Gatekeeper Library Usage How to contribute to the library New policy Development

README.md

OPA Gatekeeper Library

A community-owned library of policies for the OPA Gatekeeper project.

Usage

Apply the template.yaml and constraint.yaml provided in each directory under library/

For example

cd library/general/httpsonly/
kubectl apply -f template.yaml
kubectl apply -f samples/ingress-https-only/constraint.yaml
kubectl apply -f library/general/httpsonly/sync.yaml # optional: when GK is running with OPA cache

How to contribute to the library

New policy

If you have a policy you would like to contribute, please submit a pull request. Each new policy should contain:

  • A constraint template with a description annotation and the parameter structure, if any, defined in spec.crd.spec.validation.openAPIV3Schema
  • One or more sample constraints, each with an example of an allowed (example_allowed.yaml) and disallowed (example_disallowed.yaml) resource.
  • The rego source, as src.rego and unit tests as src_test.rego in the corresponding subdirectory under src/

Development

  • policy code and tests are maintained in src/ folder and then manually copied into library/
  • run all tests with ./test.sh
  • run single test with opa test src/<folder>/src.rego src/<folder>/src_test.rego --verbose
  • print results with trace(sprintf("%v", [thing]))

About

The OPA Gatekeeper policy library.

Topics

kubernetes cncf policy opa gatekeeper policy-library

Resources

Readme

License

Apache-2.0 License

Releases

No releases published

Packages

No packages published

Contributors 29

+ 18 contributors

Languages