Skip to content

Commit

Permalink
readme
Browse files Browse the repository at this point in the history
  • Loading branch information
chrisns committed Apr 6, 2022
1 parent 49b406c commit b97a8eb
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 1 deletion.
38 changes: 38 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Example Policy Org's Policy-as-code demo 2

This repo contains the company policy that has been codified into [kyverno](https://kyverno.io/) and [checkov](https://www.checkov.io/) policies.

## Usage

See [app1](https://github.com/example-policy-org-demo/app1) for a kubernetes implementation; and [infra1](https://github.com/example-policy-org-demo/infra1) for a terraform implementation.

## Development

### Kubernetes policies

These are kept in [kubernetes/kyverno](./kubernetes/kyverno) and can be added to by creating a new directory, and referencing this in the [kustomization.yaml](./kubernetes/kyverno/kustomization.yaml). It is important that test cases are created and a test.yaml accompanies the policy.yaml following the [documentation of developing kyverno policy](https://kyverno.io/docs/kyverno-cli/#test).

If you want to inherit an external policy for example from the kyverno policy library you can add the reference in the [kustomization.yaml](./kubernetes/kyverno/kustomization.yaml). If doing this, it is important for the stability of the policy to reference an immutable reference such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable.

Testing can be accomplished with:
```bash
$ kyverno test .
```

### Terraform IaaC policies

Similar to the [Kubernetes policies](#kubernetes-policies) these are in [infra/checkov](./infra/checkov/) and can be added to by creating a new directory. [checkov](https://checkov.io) doesn't yet have a formalised testing pattern for policy. So a [BATS](https://github.com/bats-core/bats-core) testing framework has been implemented. Policy can be written either as [python](https://www.checkov.io/3.Custom%20Policies/Python%20Custom%20Policies.html) or [yaml](https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html).

If you want to inherit an external policy for example one of the checks built in to checkov you can add to the checks in the [checkov config](./infra/checkov/config.yaml).

If doing this, it is important for the stability of the policy to reference specific checks and an immutable reference where available such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable.

Testing can be accomplished with:
```bash
$ bats infra/checkov/test.bats
```

---

See the [What is Policy As [versioned] Code? blog post](https://www.appvia.io/blog/policy-as-versioned-code) to better understand how the repositories connect together.

2 changes: 1 addition & 1 deletion infra/checkov/config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
framework:
- terraform
external-checks-dir: ../policy/infra/checkov/
external-checks-dir: ./
run-all-external-checks: true
check:
- CUSTOM_*
6 changes: 6 additions & 0 deletions infra/checkov/test.bats
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
#!/usr/bin/env bats

# Bats doesn't currently support dynamic test definitions
# so I've had to test all the policies within a single @test
# while test failures will show some output it would be
# much nicer to have a @test per test case
# https://github.com/bats-core/bats-core/issues/306

@test "checkov" {
for dir in infra/checkov/*/ ; do
for passing in ${dir}pass*.tf ; do
Expand Down

0 comments on commit b97a8eb

Please sign in to comment.