A command line tool for validating Kubernetes configs with rego

Overview

ccheck


ccheck is a command line application for writing tests against configuration files and data using the rego query language. It's intended purpose is for checking kubernetes config files (.json or .yaml) but can be extended to support other file types.

Usage

The ccheck binary checks for rego rules of the form deny_<rule_name> and warn_<rule_name> during its evaluation process. If a resource matches a "deny" rule, a failure will be issued, otherwise a "warning" will be logged to the command line. An example of a valid, well-formed ccheck config is as follows:

Example .rego file

package main

is_hpa {
  input.kind = "HorizontalPodAutoscaler"
}

# checks that we do not include any horizontal pod autoscalers
deny_no_hpa[msg] {
    not is_hpa
    msg = sprintf("%s must not include any Horizontal Pod AutoScalers", [input.metadata.name])
}

# checks that apps do not live in the default namespace
warn_no_default_namespace[msg] {
    not input.metadata.namespace = "default"
    msg = sprintf("%s should not be configured to live in the default namespace", [input.metadata.name])

N.B. As an added bonus you can also use ccheck rules as policies in the Open Policy Agent Admission Controller

ccheck can then be invoked using this policy via:

ccheck -p <policy directory> <files to check....>

For example using the following file:

Example Kubernetes .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80

---

apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
  name: nginx
  namespace: default
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx
  minReplicas: 1
  maxReplicas: 10
  targetCPUUtilizationPercentage: 50

Will produce the following output:

Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers
[email protected]:~/projects/ccheck|

Full Example:

If you would like to see ccheck in action - this project bundles this example in its source as well. Just clone this project and run:

./ccheck -p example/policies example/test.yaml 
Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers

FAQ

  • Why use rego instead of another declarative language like hcl?

    Although rego is a very new and domain specific language, it's simple grammar and extensibility were the main motivators in using it instead of a more popular declarative language or framework. As an added bonus, you can re-use your policies declared in rego right out of the box in kubernetes admission controllers powered by Open Policy Agent

Additional References

You might also like...
The Coherence command line interface (CLI) is a lightweight tool, in the tradition of tools such as kubectl
The Coherence command line interface (CLI) is a lightweight tool, in the tradition of tools such as kubectl

Coherence Command Line Interface (CLI) Contents Overview Why use the Coherence C

A command-line debugging tool to check the latency of SSL handshake

ssl-handshake A command-line tool for testing SSL handshake latency, written in

Kubernetes operator for the Azure DevOps pipe-line agents

adoagent-operator Kubernetes operator for the Azure DevOps pipe-line agents init.sh #!/bin/bash # docker and github repo username export USERNAME='ba

Kubernetes operator for the Azure DevOps self-hosted pipe-line agent.

Kubernetes operator for the Azure DevOps self-hosted pipe-line agent. The operator adds an extra layer of configuration on top of the default images like: proxy settings, pool settings and auth keys.

Litmus helps Kubernetes SREs and developers practice chaos engineering in a Kubernetes native way.
Litmus helps Kubernetes SREs and developers practice chaos engineering in a Kubernetes native way.

Litmus Cloud-Native Chaos Engineering Read this in other languages. 🇰🇷 🇨🇳 🇧🇷 🇮🇳 Overview Litmus is a toolset to do cloud-native chaos engineer

 KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes

Kubernetes-based Event Driven Autoscaling KEDA allows for fine-grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KED

vcluster - Create fully functional virtual Kubernetes clusters - Each cluster runs inside a Kubernetes namespace and can be started within seconds
vcluster - Create fully functional virtual Kubernetes clusters - Each cluster runs inside a Kubernetes namespace and can be started within seconds

Website • Quickstart • Documentation • Blog • Twitter • Slack vcluster - Virtual Clusters For Kubernetes Lightweight & Low-Overhead - Based on k3s, bu

network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.
network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.

Network Node Manager network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of ku

A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from sec

Comments
  • Project scope

    Project scope

    Hello! I saw your project on Reddit and I'm wondering what's the difference with https://github.com/instrumenta/conftest?

    For now, my initial understanding was that this project seemed 100% laser focused on Kubernetes but you say the opposite in the Readme.

    The syntactic sugar to display warning/error messages is a nice touch. Could you elaborate on the vision and name as well as your plans moving forward? :)

    Thank you

    opened by zmarouf 1
Owner
Brendan Ryan
Brendan Ryan
Manage your ssh alias configs easily.

manssh manssh is a command line tool for managing your ssh alias config easily, inspired by storm project, powered by Go. Note: This project is actual

Wendell Sun 276 Nov 9, 2022
Kubernetes webhook development (validating admission webhook) tutorial using kubewebhook

pod-exec-guard-kubewebhook-tutorial Introduction This is a tutorial that shows how to develop a Kubernetes admission webhook. To explain this, the tut

Xabier Larrakoetxea Gallego 8 Aug 26, 2022
Go framework to create Kubernetes mutating and validating webhooks

kubewebhook Kubewebhook is a small Go framework to create external admission webhooks for Kubernetes. With Kubewebhook you can make validating and mut

Xabier Larrakoetxea Gallego 507 Jan 4, 2023
Kubernetes Admission Controller Demo: Validating Webhook for Namespace lifecycle events

Kubernetes Admission Controller Based on How to build a Kubernetes Webhook | Admission controllers Local Kuberbetes cluster # create kubernetes cluste

Marco Lehmann 2 Feb 27, 2022
used Terratest to write a test in GO for validating a Terraform module.

Terraform--Terragrant--Test used Terratest to write a test in GO for validating a Terraform module. will write a test for a Terraform module using Ter

EngineerAdnan-DEVOPS 0 Dec 4, 2021
Kubesecret is a command-line tool that prints secrets and configmaps data of a kubernetes cluster.

Kubesecret Kubesecret is a command-line tool that prints secrets and configmaps data of a kubernetes cluster. kubesecret -h for help pages. Install go

Charalampos Mitrodimas 18 May 3, 2022
Kubernetes OS Server - Kubernetes Extension API server exposing OS configuration like sysctl via Kubernetes API

KOSS is a Extension API Server which exposes OS properties and functionality using Kubernetes API, so it can be accessed using e.g. kubectl. At the moment this is highly experimental and only managing sysctl is supported. To make things actually usable, you must run KOSS binary as root on the machine you will be managing.

Mateusz Gozdek 3 May 19, 2021
Command kube-tmux prints Kubernetes context and namespace to tmux status line.

kube-tmux Command kube-tmux prints Kubernetes context and namespace to tmux status line.

null 7 Sep 10, 2021
Command-line tool to remotely execute commands on Windows machines through WinRM

winrm-cli This is a Go command-line executable to execute remote commands on Windows machines through the use of WinRM/WinRS. Note: this tool doesn't

Brice Figureau 145 Dec 15, 2022
Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo

igo agent 英文 | 中文 Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo, and other capabilities may be added lat

null 1 Dec 22, 2021