Skip to content

brendanjryan/ccheck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
example
example
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

ccheck

ccheck is a command line application for writing tests against configuration files and data using the rego query language. It's intended purpose is for checking kubernetes config files (.json or .yaml) but can be extended to support other file types.

Usage

The ccheck binary checks for rego rules of the form deny_<rule_name> and warn_<rule_name> during its evaluation process. If a resource matches a "deny" rule, a failure will be issued, otherwise a "warning" will be logged to the command line. An example of a valid, well-formed ccheck config is as follows:

Example .rego file

package main

is_hpa {
  input.kind = "HorizontalPodAutoscaler"
}

# checks that we do not include any horizontal pod autoscalers
deny_no_hpa[msg] {
    not is_hpa
    msg = sprintf("%s must not include any Horizontal Pod AutoScalers", [input.metadata.name])
}

# checks that apps do not live in the default namespace
warn_no_default_namespace[msg] {
    not input.metadata.namespace = "default"
    msg = sprintf("%s should not be configured to live in the default namespace", [input.metadata.name])

N.B. As an added bonus you can also use ccheck rules as policies in the Open Policy Agent Admission Controller

ccheck can then be invoked using this policy via:

ccheck -p <policy directory> <files to check....>

For example using the following file:

Example Kubernetes .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80

---

apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
  name: nginx
  namespace: default
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx
  minReplicas: 1
  maxReplicas: 10
  targetCPUUtilizationPercentage: 50

Will produce the following output:

Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers
brendanjryan@Brendans-MacBook-Pro:~/projects/ccheck|

Full Example:

If you would like to see ccheck in action - this project bundles this example in its source as well. Just clone this project and run:

./ccheck -p example/policies example/test.yaml 
Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers

FAQ

  • Why use rego instead of another declarative language like hcl?

    Although rego is a very new and domain specific language, it's simple grammar and extensibility were the main motivators in using it instead of a more popular declarative language or framework. As an added bonus, you can re-use your policies declared in rego right out of the box in kubernetes admission controllers powered by Open Policy Agent

Additional References

About

A command line tool for validating Kubernetes configs with rego

Topics

kubernetes yaml validation test cncf opa rego

Resources

Readme
Activity

Stars

65 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages