Open policy agent 如何测试违规行为?
我偶然发现的测试似乎都是重复的 我正在调查守门员的违规行为 例如,策略将测试容器来自的回购协议:Open policy agent 如何测试违规行为?,open-policy-agent,Open Policy Agent,我偶然发现的测试似乎都是重复的 我正在调查守门员的违规行为 例如,策略将测试容器来自的回购协议: package k8sallowedrepos violation[{"msg": msg}] { container := input.review.object.spec.containers[_] satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, rep
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
包装k8sallowedrepos
违反[{“msg”:msg}]{
容器:=input.review.object.spec.containers[\ux]
满意:=[good | repo=input.parameters.repos[|];good=startswith(container.image,repo)]
没有(满意)
msg:=sprintf(“容器具有无效的映像repo,允许的repo为%v”,[container.name,container.image,input.parameters.repos])
}
违反[{“msg”:msg}]{
容器:=input.review.object.spec.initContainers[\ux]
满意:=[good | repo=input.parameters.repos[|];good=startswith(container.image,repo)]
没有(满意)
msg:=sprintf(“容器具有无效的映像repo,允许的repo为%v”,[container.name,container.image,input.parameters.repos])
}
我应该从哪里开始测试呢?如果您正在为OPA Gatekeeper编写自己的模板,我们建议您为这些模板中的规则编写测试,就像您为OPA编写的任何其他规则一样。在这种情况下,您希望编写测试来执行deny(即,其中一个规则中的所有语句都匹配)和no result(即,两个规则中至少有一个语句不匹配)。我们建议您尽可能使用OPA的能力进行测试驱动开发(TDD)
package k8sallowedrepos
test_image_safety_positive {
count(violation) == 1 with input.parameters.repos as ["hooli.com/"]
with input.review.object.spec.containers as [
{"name": "ok", "image": "hooli.com/web"},
{"name": "bad", "image": "badrepo.com/web"},
]
}
test_image_safety_negative {
count(violation) == 0 with input.parameters.repos as ["hooli.com/"]
with input.review.object.spec.containers as [
{"name": "ok", "image": "hooli.com/web"},
]
}
test_image_safety_init_container_positive {
count(violation) == 1 with input.parameters.repos as ["hooli.com/"]
with input.review.object.spec.initContainers as [
{"name": "ok", "image": "hooli.com/web"},
{"name": "bad", "image": "badrepo.com/web"},
]
}
test_image_safety_init_container_negative {
count(violation) == 0 with input.parameters.repos as ["hooli.com/"]
with input.review.object.spec.initContainers as [
{"name": "ok", "image": "hooli.com/web"},
]
}