This action checks the connectivity in a given Kubernetes cluster against a set of corporate policies. It will first extract the cluster's connectivity graph by scanning your repository for YAML files containing endpoint resources (e.g., Deployments) or connectivity resources (Kubernetes NetworkPolicies). It will then verify that the connectivity graph adheres to a set of corporate policies, given as the action's input. Corporate policies are defined in YAML files; their syntax is defined here.
This action is part of a wider attempt to provide shift-left automation for generating and maintaining Kubernetes Network Policies.
A space-separated list of corporate policy files to verify (either as GitHub URLs or paths under GitHub workspace)
(Optional) The path in the GitHub workspace where deployment yamls are. Default is . (scanning the whole repository).
(Optional) The path in the GitHub workspace where the NetworkPolicy yamls are stored. Default is . (scanning the whole repository).
(Optional) The format in which to output verifitaion results. Either "md" (default) or "txt".
The name of the artifact containing verification results for all policies
The name of the actual file in the artifact, which contains verification results for all policies
The number of corporate policies which the cluster's connectivity graph violates
Can be used to block a pull-request from being merged.
name: verify-network-policies
on:
pull_request:
jobs:
verify-netpols:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Verify policies
id: verify-policies
uses: np-guard/netpol-verify-gh-action@v2
with:
corporate-policies: >
https://github.com/np-guard/baseline-rules/blob/master/examples/ciso_denied_ports.yaml
- run: exit ${{ steps.verify-policies.outputs.num-violated-policies }}
name: verify-network-policies
on:
pull_request:
jobs:
verify-netpols:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Verify policies
id: verify-policies
uses: np-guard/netpol-verify-gh-action@v2
with:
corporate-policies: >
https://github.com/np-guard/baseline-rules/blob/master/examples/ciso_denied_ports.yaml
https://github.com/np-guard/baseline-rules/blob/master/examples/restrict_access_to_payment.yaml
- uses: actions/download-artifact@v2
with:
name: ${{ steps.verify-policies.outputs.policy-results-artifact }}
- name: comment PR
run: gh pr comment ${{ github.event.number }} -F ${{ steps.verify-policies.outputs.policy-results-file }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}