GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → brendanjryan → ccheck

brendanjryan / ccheck

Licence: other
A command line tool for validating Kubernetes configs with rego

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects

Labels

kubernetesyamlvalidationtestcncfoparego

Projects that are alternatives of or similar to ccheck

k8s-opa-boilerplate
Boilerplate example of managing OPA with kustomize
Stars: ✭ 14 (-77.78%)
Mutual labels:  yaml, opa, rego
prancer-compliance-test
This repository includes cloud security policies for IaC and live resources.
Stars: ✭ 32 (-49.21%)
Mutual labels:  opa, rego
postee
Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.
Stars: ✭ 160 (+153.97%)
Mutual labels:  opa, rego
fury-kubernetes-opa
Kubernetes Fury OPA. Policy enforcement for your Kubernetes Cluster
Stars: ✭ 34 (-46.03%)
Mutual labels:  cncf, opa
Gatekeeper
Gatekeeper - Policy Controller for Kubernetes
Stars: ✭ 2,194 (+3382.54%)
Mutual labels:  cncf, opa
pre-commit-opa
Pre-commit git hooks for Open Policy Agent (OPA) and Rego development
Stars: ✭ 53 (-15.87%)
Mutual labels:  opa, rego
Swagger meqa
Auto generate and run tests using swagger/OpenAPI spec, no coding needed
Stars: ✭ 151 (+139.68%)
Mutual labels:  yaml, test
opa-kafka-plugin
Open Policy Agent (OPA) plug-in for Kafka authorization
Stars: ✭ 46 (-26.98%)
Mutual labels:  opa, rego
mockingbird
🐦 Decorator Powered TypeScript Library for Creating Mocks
Stars: ✭ 70 (+11.11%)
Mutual labels:  test
fix2json
A command-line utility to present FIX protocol messages as JSON or YAML
Stars: ✭ 44 (-30.16%)
Mutual labels:  yaml
idr-metadata
Curated metadata for all studies published in the Image Data Resource
Stars: ✭ 12 (-80.95%)
Mutual labels:  yaml
ADLES
Automated Deployment of Lab Environments System (ADLES)
Stars: ✭ 28 (-55.56%)
Mutual labels:  yaml
config-cpp
C++ Configuration management library inspired by the Viper package for golang.
Stars: ✭ 21 (-66.67%)
Mutual labels:  yaml
rel
command line tool for managing personal graphs of anything and writing them to dot
Stars: ✭ 51 (-19.05%)
Mutual labels:  yaml
pynvme
builds your own tests.
Stars: ✭ 139 (+120.63%)
Mutual labels:  test
write-yaml
Basic node.js utility for converting JSON to YAML and writing formatting YAML files to disk.
Stars: ✭ 38 (-39.68%)
Mutual labels:  yaml
Ubigeo-Peru
Base de datos de departamentos, provincias y distritos del Perú (UBIGEO) actualizada al 2019 (El INEI ha actualizado hasta el 2016). SQL, JSON, XML, CSV, Arreglos PHP, YAML.
Stars: ✭ 113 (+79.37%)
Mutual labels:  yaml
dextool
Suite of C/C++ tooling built on LLVM/Clang
Stars: ✭ 81 (+28.57%)
Mutual labels:  test
jr.mitou.org
未踏ジュニアの公式Webサイトです! YAML ファイルで更新できます 🛠💨
Stars: ✭ 17 (-73.02%)
Mutual labels:  yaml
compose-generator
🐳 Easy to use cli tool to generate Docker Compose configurations
Stars: ✭ 111 (+76.19%)
Mutual labels:  yaml
View All Similar Projects ➔

ccheck

ccheck is a command line application for writing tests against configuration files and data using the rego query language. It's intended purpose is for checking kubernetes config files (.json or .yaml) but can be extended to support other file types.

Usage

The ccheck binary checks for rego rules of the form deny_<rule_name> and warn_<rule_name> during its evaluation process. If a resource matches a "deny" rule, a failure will be issued, otherwise a "warning" will be logged to the command line. An example of a valid, well-formed ccheck config is as follows:

Example .rego file

package main

is_hpa {
  input.kind = "HorizontalPodAutoscaler"
}

# checks that we do not include any horizontal pod autoscalers
deny_no_hpa[msg] {
    not is_hpa
    msg = sprintf("%s must not include any Horizontal Pod AutoScalers", [input.metadata.name])
}

# checks that apps do not live in the default namespace
warn_no_default_namespace[msg] {
    not input.metadata.namespace = "default"
    msg = sprintf("%s should not be configured to live in the default namespace", [input.metadata.name])

N.B. As an added bonus you can also use ccheck rules as policies in the Open Policy Agent Admission Controller

ccheck can then be invoked using this policy via:

ccheck -p <policy directory> <files to check....>

For example using the following file:

Example Kubernetes .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80

---

apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
  name: nginx
  namespace: default
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx
  minReplicas: 1
  maxReplicas: 10
  targetCPUUtilizationPercentage: 50

Will produce the following output:

Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers
brendanjryan@Brendans-MacBook-Pro:~/projects/ccheck|

Full Example:

If you would like to see ccheck in action - this project bundles this example in its source as well. Just clone this project and run:

./ccheck -p example/policies example/test.yaml 
Warning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace
Failure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers

FAQ

  • Why use rego instead of another declarative language like hcl?

    Although rego is a very new and domain specific language, it's simple grammar and extensibility were the main motivators in using it instead of a more popular declarative language or framework. As an added bonus, you can re-use your policies declared in rego right out of the box in kubernetes admission controllers powered by Open Policy Agent

Additional References

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].