feat(opa): add conftest OPA policies and pre-commit hook #167
Reference in New Issue
Block a user
Delete Branch "benvin/opa_policies"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Introduces three OPA policy files under
policy/and aconftestpre-commit hook that runs against all staged YAML manifests (Helm chart templates excluded).Policies
policy/no_ingress.regokind: Ingress— this cluster uses Gateway API onlypolicy/gateway_api.regoparentRefs: require explicitgroup: gateway.networking.k8s.ioandkind: GatewaybackendRefs: require explicitgroup: "",kind: Service,weight: 1certificateRefs: require explicitgroup: ""policy/resource_normalization.rego1→"1", causing ArgoCD OutOfSync)1000m→"1",2000m→"2")1024Mi→1Gi,3072Mi→3Gi)clusterIP: nullon Services (assigned IP always differs from null)Pre-commit hook
Added
conftest_policieshook to.pre-commit-config.yaml:conftest test --policy policy/on all staged YAML filescharts/,templates/, and.woodpecker/pathsExisting violations fixed
Fixes all resource normalization violations found by the new policies:
puppet/deployment_puppetdb.yaml— cpu limit1→"1"puppet/deployment_puppetserver-master.yaml— cpu2→"2", memory1024Mi→1Gipuppet/deployment_puppetserver-compiler.yaml— cpu2→"2", memory3072Mi→3Gi,1024Mi→1Gipuppet/deployment_puppetboard.yaml— memory1024Mi→1Gireposync/cronjob_reposync-*.yaml(4 files) — cpu2000m→"2"kanidm/tlsroute.yamlandpuppet/service_puppetdb.yamlare fixed in PRs #165 and #166 respectively.Adds three policy files under policy/ plus a pre-commit hook that runs conftest against all staged YAML manifests (excluding chart templates). Policies: no_ingress.rego Deny Ingress resources — cluster uses Gateway API only. gateway_api.rego HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and group/kind/weight on backendRefs (PR #162, #165). Gateway: require explicit group on certificateRefs (PR #153). All fields are defaulted by the controller; omitting them causes permanent ArgoCD OutOfSync. resource_normalization.rego CPU integer: deny unquoted integer cpu values (PR #163). CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164). Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163). clusterIP null: deny Service with explicit null clusterIP (PR #166). Also fixes all existing violations found by the new policies across puppet deployments and reposync cronjobs (resource normalization). kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded from this commit as they are addressed in PRs #165 and #166.View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.