Conftest: Configuration linting using OPA's rego policy language

Manageing configuration tends to come down to maintaining loads of yaml or json files which can get messy pretty quickly. To help ensure some standards it's important to lint even these files.

In Kubernetes there are some nice projects to that end, such as KubeScore and Kubelint, but they aren't really customizable in a way which allows you to validate the configuration given a certain context. This is where Conftest and Rego come in to play.

In this post I'd like to show some tips and trips using a working example. The code can be found on Gitlab, but if you'd like to play around with the policies, feel free to clone it and run it locally (Nb. you will need Docker running locally in order to do that).

Conftest can be run as follows:

$ ./bin/conftest test --all-namespaces --data policy/data/dev dev 

What this does test the policies in the policy directory using the --data in policy/data/dev, in this case there is a file stage.yaml with the following contents:

---
stage:
  name: dev
  allowed_kinds:
    - Deployment
    - Service
  required_labels:
    "Deployment":
      - app

Conftest's documentation on --data says that stage will be import'able as follows:

import data.stage

There are a couple of example OPA Policies in the policy directory of the example-project, but here is one I'd like to showcase since it has a couple of features:

package k8s.kind.deployment

import data.stage

deny_deployment_missing_label[msg] {
    is_deployment
    name := input.metadata.name
    all({
       required | required := data.stage.required_labels["Deployment"][_]
       input.metadata.labels[ required ]
    })
    msg := sprintf("Deployment %s must be qualified with a label: %s", [ name , data.stage.required_labels["Deployment"] ])
}

is_deployment {
   input.kind == "Deployment"
}

This policy applies to any configuration file which is of kind "Deployment". It then iterates the required labels from the stage-data and ensures they are present.

Given this configuration and this rules, if a deployment manifest doesn't have a label "app" you can expect a failure message similar to:

FAIL - dev/app/fails-deployment-missing-label.yaml - k8s.kind.deployment - Deployment conftest-example must be qualified with a label: ["app"]

Resources

• Example Project
• Conftest
• OPA Policy Language - Rego
• Rego Playground