Skip to content

Commit b97a8eb

Browse files
committed
readme
1 parent 49b406c commit b97a8eb

File tree

3 files changed

+45
-1
lines changed

3 files changed

+45
-1
lines changed

README.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Example Policy Org's Policy-as-code demo 2
2+
3+
This repo contains the company policy that has been codified into [kyverno](https://kyverno.io/) and [checkov](https://www.checkov.io/) policies.
4+
5+
## Usage
6+
7+
See [app1](https://github.com/example-policy-org-demo/app1) for a kubernetes implementation; and [infra1](https://github.com/example-policy-org-demo/infra1) for a terraform implementation.
8+
9+
## Development
10+
11+
### Kubernetes policies
12+
13+
These are kept in [kubernetes/kyverno](./kubernetes/kyverno) and can be added to by creating a new directory, and referencing this in the [kustomization.yaml](./kubernetes/kyverno/kustomization.yaml). It is important that test cases are created and a test.yaml accompanies the policy.yaml following the [documentation of developing kyverno policy](https://kyverno.io/docs/kyverno-cli/#test).
14+
15+
If you want to inherit an external policy for example from the kyverno policy library you can add the reference in the [kustomization.yaml](./kubernetes/kyverno/kustomization.yaml). If doing this, it is important for the stability of the policy to reference an immutable reference such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable.
16+
17+
Testing can be accomplished with:
18+
```bash
19+
$ kyverno test .
20+
```
21+
22+
### Terraform IaaC policies
23+
24+
Similar to the [Kubernetes policies](#kubernetes-policies) these are in [infra/checkov](./infra/checkov/) and can be added to by creating a new directory. [checkov](https://checkov.io) doesn't yet have a formalised testing pattern for policy. So a [BATS](https://github.com/bats-core/bats-core) testing framework has been implemented. Policy can be written either as [python](https://www.checkov.io/3.Custom%20Policies/Python%20Custom%20Policies.html) or [yaml](https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html).
25+
26+
If you want to inherit an external policy for example one of the checks built in to checkov you can add to the checks in the [checkov config](./infra/checkov/config.yaml).
27+
28+
If doing this, it is important for the stability of the policy to reference specific checks and an immutable reference where available such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable.
29+
30+
Testing can be accomplished with:
31+
```bash
32+
$ bats infra/checkov/test.bats
33+
```
34+
35+
---
36+
37+
See the [What is Policy As [versioned] Code? blog post](https://www.appvia.io/blog/policy-as-versioned-code) to better understand how the repositories connect together.
38+

infra/checkov/config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
framework:
22
- terraform
3-
external-checks-dir: ../policy/infra/checkov/
3+
external-checks-dir: ./
44
run-all-external-checks: true
55
check:
66
- CUSTOM_*

infra/checkov/test.bats

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,11 @@
11
#!/usr/bin/env bats
22

3+
# Bats doesn't currently support dynamic test definitions
4+
# so I've had to test all the policies within a single @test
5+
# while test failures will show some output it would be
6+
# much nicer to have a @test per test case
7+
# https://github.com/bats-core/bats-core/issues/306
8+
39
@test "checkov" {
410
for dir in infra/checkov/*/ ; do
511
for passing in ${dir}pass*.tf ; do

0 commit comments

Comments
 (0)