conftest icon indicating copy to clipboard operation
conftest copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Conftest Policy for Kubernetes manifests for checking that images come from a specific registry

Open w7089 opened this issue 2 years ago • 1 comments

I'm using conftest for validating policies on Kubernetes manifests.

Below policy validates that images in StatefulSet manifests have to come from specific registry reg_url

package main

deny[msg] {
  input.kind == "StatefulSet"
  not regex.match("[reg_url]/.+", input.spec.template.spec.initContainers[0].image)

  msg := "images come from artifactory"
}

Is there a way to enforce such policy for all kubernetes resources that have image field somewhere in their description? This may be useful for policy validation on all helm chart manifests, for instance.

I'm looking for something like:

package main

deny[msg] {
  input.kind == "*" // all resources
  not regex.match("[reg_url]/.+", input.*.image) // any nested image field

  msg := "images come from artifactory"
}

w7089 avatar Aug 30 '22 12:08 w7089

We have a set of libraries in Konstraint that attempts to tackle this problem. This is an example policy that checks for the latest tag across container definitions which can come from Pods, Deployments, etc.

https://github.com/plexsystems/konstraint/tree/main/examples/container-deny-latest-tag

jpreese avatar Aug 30 '22 12:08 jpreese