swade1987 / deprek8ion Goto Github PK

Not sure I'm doing wrong, but I get some compiler errors

$ docker run --rm -it -v ${PWD}:/project instrumenta/conftest:latest test --policy regopolicy.rego chart/my-chart

Error: build compiler: compiling: 4 errors occurred:
policy/1.16-deprek8ion.rego:20: rego_unsafe_var_error: var _warn is unsafe
policy/1.16-deprek8ion.rego:26: rego_unsafe_var_error: var _warn is unsafe
policy/1.17-deprek8ion.rego:20: rego_unsafe_var_error: var _warn is unsafe
policy/1.17-deprek8ion.rego:26: rego_unsafe_var_error: var _warn is unsafe

Following policy needs updating

• https://github.com/swade1987/deprek8ion/blob/master/policies/_cert-manager.rego

see:

• cert-manager/cert-manager#4021

I've noticed that there are newer versions of the docker image built from this project repo (https://console.cloud.google.com/gcr/images/swade1987/EU/deprek8ion?gcrImageListsize=30).

However, i could not match image tag (eu.gcr.io/swade1987/deprek8ion:1.1.32) with the changes here (any rule fixed? conftest updated? etc).
The project is abandoned for community or the source-of-truth for provided container images is another repo ?

Although still in alpha, looks like you can publish OPA policies to ArtifactHub. Would be good to see deprek8ion policies there to be able to pull down.

These policies look really useful, this is a great use case for rego!

Can you share how you are you using these currently? Is it with an admission controller like OPA Gatekeeper or some other job/process in your deployment pipeline?

Can we add the serviceAccount deprecation on pod spec?

See here: kubernetes/kubernetes#47198.

Hi, I was having a look at https://github.com/swade1987/deprek8ion/blob/master/policies/kubernetes-1.19.rego and wanted to learn more about the removal of admissionregistration.k8s.io/v1beta1 but the https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md did not include any mention of that.

Finally I found kubernetes/kubernetes#82021 which tells that this particular removal is now planned for K8s 1.22. I think the policy files should be updated, what do you think?

Would it be possible to add a license to this repository?

Thank you for your work, this is a really useful tool!

I have a minor suggestion to simplify the Dockerfile:

FROM instrumenta/conftest:v0.18.2
LABEL MAINTAINER Steven Wade <[email protected]>
COPY policies/* /policies/
ENTRYPOINT ["/conftest", "test", "-p", "/policies"]

# Usage: docker run --rm -v $PWD/demo:/demo deprek8ion:latest /demo

This would make the install.sh unnecessary. I can create a PR if you're interested.

One more thing: would it be possible to also host the container on docker hub - it has a very straight-forward GitHub integration and isn't down currently...

If you have a bundle of manifests, it would be nice to be able to verify that manifest against a specific version of Kubernetes.

For example, if you have a bundle.yaml that you intended to deploy to Kubernetes v1.17.0, it would be desirable to programmatically choose with set of Deprek8ion policies to run. In this case you'd include 1.16 and 1.17, but leave the others out.

Maybe a folder per Kubernetes version? e.g. 1.17/kubernetes-1.16.rego 1.17/kubernetes-1.17.rego and then conftest test bundle.yaml -p deprek8ion/$KUBERNETES_VERSION

another example usage, which I prefer:

cat /demo/ingress.yaml | docker run --rm -i quay.io/swade1987/deprek8ion:1.1.7 conftest test -p /policies -

you dont need any volumes in this case, and this is very useful i.e. in building pipelines. furdermore you can diredtly pipe out a kubectl get ... command.

I have this error
ERROR: No deprek8ion policy for kubernetes version 1.21. Check if a newer version of deprek8ion supports this version

Is it possible to test Kubernetes template for version 1.21?

Couldn't find this policy in the current list.

• https://kubernetes.io/docs/reference/using-api/deprecation-guide/#poddisruptionbudget-v125