Policies for full collections of Kubernetes resources

[mark-rushakoff]

In our GitOps approach, we fully generate all of our Kubernetes resources -- that is, our git repo contains every definition of all resources we deploy.

We are using conftest to validate cross-resource dependencies, like:

• For every resource that refers to a namespace, that namespace must be defined
• For every pod spec that refers to a config map, that config map must exist in the same namespace where the pod will be created
• For every pod that refers to a service account, that service account must exist in the same namespace where the pod will be created

and so on. Our goal is to catch these kinds of mistakes in CI, before the change gets merged and then fails to deploy.

I'm happy to share the rules we've written, but I'm not sure whether we are following any "standard" organization of rules. We have to use conftest test --combine to handle multiple resources at once. If you can share an initial set of policies that does something with multiple resources, we can follow the more official patterns you establish and share the other rules we've written.

[ahached]

Hi @mark-rushakoff, In fact, we are also implementing the same thing in our organisation. Any advancement, on this ? or a useful links for other policies repo would be nice. I was hoping that this repo will be the get go to find all sorts of policies that you would run in your CI to test your k8s manifests