conftest icon indicating copy to clipboard operation
conftest copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Emit msg with Exceptions

Open dan-slinky-ckpd opened this issue 5 years ago • 8 comments

I would like to be able to emit a human readable message for Exceptions so it's easy to see why something has been excluded. Currently it's not very obvious.

Screenshot 2020-10-15 at 17 08 27

dan-slinky-ckpd avatar Oct 15 '20 18:10 dan-slinky-ckpd

What version of Conftest are you using? The master branch already solves this issue by showing the exception triggered:

EXCP - examples/exceptions/deployments.yaml - data.main.exception[_][_] == "run_as_root"

Maybe this is already enough to cover your use case, it would at least indicate from what rule the configuration object was excepted. Or do you have other use cases that require a bit more control over the output of the exceptions?

Blokje5 avatar Oct 18 '20 11:10 Blokje5

@Blokje5 I am using 0.21.0.

I have just tried master as suggested. Unfortunately this doesn't help me enough as it only works if you're testing files, but I'm using kustomize to build the manifests, for example:

$ kustomize build thing | conftest test -
EXCP - data.main.exception[_][_] == "missing_memory_limits"
EXCP - data.main.exception[_][_] == "missing_cpu_limits"

I would like to be able to use sprintf to customize the msg with string values.

A lightweight pseudo example of what I'd like to be able to do:

deny_missing_memory_limits[msg] {
	kubernetes.containers[container]
	not container.resources.limits.memory
	msg = sprintf("%s in the %s %s does not have a memory limit set", [container.name, kubernetes.kind, kubernetes.name])
}

deny_missing_cpu_limits[msg] {
	kubernetes.containers[container]
	not container.resources.limits.cpu
	msg = sprintf("%s in the %s %s does not have a CPU limit set", [container.name, kubernetes.kind, kubernetes.name])
}

# exception for my-special-deployment limits due to performance issues
exception[rules, msg] {
  input.kind = "Deployment"
  input.metadata.name = "my-special-deployment"
  reason = "some performance issues"
  rules := ["missing_memory_limits","missing_cpu_limits"]
  
  # EXAMPLE
  msg = sprintf("%s excluded rule because %s", [input.metadata.name, reason])
}

dan-slinky-ckpd avatar Oct 19 '20 09:10 dan-slinky-ckpd

Indeed extending the exception rule with a msg would make sense. I like the idea of having the msg be a form of documentation for the exception. Given how new the exceptions are, I don't mind creating a breaking change, moving from exception[rules] to exception[[rules], msg].

Blokje5 avatar Oct 19 '20 20:10 Blokje5

I also have the same requirement where need to justify why I am putting that RULE in exception.

shukla2009 avatar Aug 30 '21 15:08 shukla2009

Same here, we have a very large set of manifests being created using kustomize, and having a more sensible output for exceptions will allow users to identify exactly what the exceptions are - is this still something that's likely to be included in conftest?

madAndroid avatar Mar 14 '22 10:03 madAndroid