-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
45 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Example Policy Org's Policy-as-code demo 2 | ||
|
||
This repo contains the company policy that has been codified into [kyverno](https://kyverno.io/) and [checkov](https://www.checkov.io/) policies. | ||
|
||
## Usage | ||
|
||
See [app1](https://github.com/example-policy-org-demo/app1) for a kubernetes implementation; and [infra1](https://github.com/example-policy-org-demo/infra1) for a terraform implementation. | ||
|
||
## Development | ||
|
||
### Kubernetes policies | ||
|
||
These are kept in [kubernetes/kyverno](./kubernetes/kyverno) and can be added to by creating a new directory, and referencing this in the [kustomization.yaml](./kubernetes/kyverno/kustomization.yaml). It is important that test cases are created and a test.yaml accompanies the policy.yaml following the [documentation of developing kyverno policy](https://kyverno.io/docs/kyverno-cli/#test). | ||
|
||
If you want to inherit an external policy for example from the kyverno policy library you can add the reference in the [kustomization.yaml](./kubernetes/kyverno/kustomization.yaml). If doing this, it is important for the stability of the policy to reference an immutable reference such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable. | ||
|
||
Testing can be accomplished with: | ||
```bash | ||
$ kyverno test . | ||
``` | ||
|
||
### Terraform IaaC policies | ||
|
||
Similar to the [Kubernetes policies](#kubernetes-policies) these are in [infra/checkov](./infra/checkov/) and can be added to by creating a new directory. [checkov](https://checkov.io) doesn't yet have a formalised testing pattern for policy. So a [BATS](https://github.com/bats-core/bats-core) testing framework has been implemented. Policy can be written either as [python](https://www.checkov.io/3.Custom%20Policies/Python%20Custom%20Policies.html) or [yaml](https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html). | ||
|
||
If you want to inherit an external policy for example one of the checks built in to checkov you can add to the checks in the [checkov config](./infra/checkov/config.yaml). | ||
|
||
If doing this, it is important for the stability of the policy to reference specific checks and an immutable reference where available such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable. | ||
|
||
Testing can be accomplished with: | ||
```bash | ||
$ bats infra/checkov/test.bats | ||
``` | ||
|
||
--- | ||
|
||
See the [What is Policy As [versioned] Code? blog post](https://www.appvia.io/blog/policy-as-versioned-code) to better understand how the repositories connect together. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
framework: | ||
- terraform | ||
external-checks-dir: ../policy/infra/checkov/ | ||
external-checks-dir: ./ | ||
run-all-external-checks: true | ||
check: | ||
- CUSTOM_* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters