feat(opa): add conftest OPA policies and pre-commit hook #167

Open
unkinben wants to merge 1 commits from benvin/opa_policies into main
Owner

Summary

Introduces three OPA policy files under policy/ and a conftest pre-commit hook that runs against all staged YAML manifests (Helm chart templates excluded).

Policies

policy/no_ingress.rego

  • Deny kind: Ingress — this cluster uses Gateway API only

policy/gateway_api.rego

  • HTTPRoute/TLSRoute parentRefs: require explicit group: gateway.networking.k8s.io and kind: Gateway
  • HTTPRoute/TLSRoute backendRefs: require explicit group: "", kind: Service, weight: 1
  • Gateway certificateRefs: require explicit group: ""
  • Catches the root cause of #153, #162, #165 at commit time

policy/resource_normalization.rego

  • Deny unquoted integer CPU values (Kubernetes normalizes 1"1", causing ArgoCD OutOfSync)
  • Deny milliCPU divisible by 1000 (e.g. 1000m"1", 2000m"2")
  • Deny memory Mi divisible by 1024 (e.g. 1024Mi1Gi, 3072Mi3Gi)
  • Deny clusterIP: null on Services (assigned IP always differs from null)
  • Catches the root cause of #163, #164, fix(puppet): remove explicit clusterIP: null from puppetdb Service (#166)

Pre-commit hook

Added conftest_policies hook to .pre-commit-config.yaml:

  • Runs conftest test --policy policy/ on all staged YAML files
  • Excludes charts/, templates/, and .woodpecker/ paths

Existing violations fixed

Fixes all resource normalization violations found by the new policies:

  • puppet/deployment_puppetdb.yaml — cpu limit 1"1"
  • puppet/deployment_puppetserver-master.yaml — cpu 2"2", memory 1024Mi1Gi
  • puppet/deployment_puppetserver-compiler.yaml — cpu 2"2", memory 3072Mi3Gi, 1024Mi1Gi
  • puppet/deployment_puppetboard.yaml — memory 1024Mi1Gi
  • reposync/cronjob_reposync-*.yaml (4 files) — cpu 2000m"2"

kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are fixed in PRs #165 and #166 respectively.

## Summary Introduces three OPA policy files under `policy/` and a `conftest` pre-commit hook that runs against all staged YAML manifests (Helm chart templates excluded). ### Policies **`policy/no_ingress.rego`** - Deny `kind: Ingress` — this cluster uses Gateway API only **`policy/gateway_api.rego`** - HTTPRoute/TLSRoute `parentRefs`: require explicit `group: gateway.networking.k8s.io` and `kind: Gateway` - HTTPRoute/TLSRoute `backendRefs`: require explicit `group: ""`, `kind: Service`, `weight: 1` - Gateway `certificateRefs`: require explicit `group: ""` - Catches the root cause of #153, #162, #165 at commit time **`policy/resource_normalization.rego`** - Deny unquoted integer CPU values (Kubernetes normalizes `1` → `"1"`, causing ArgoCD OutOfSync) - Deny milliCPU divisible by 1000 (e.g. `1000m` → `"1"`, `2000m` → `"2"`) - Deny memory Mi divisible by 1024 (e.g. `1024Mi` → `1Gi`, `3072Mi` → `3Gi`) - Deny `clusterIP: null` on Services (assigned IP always differs from null) - Catches the root cause of #163, #164, #166 ### Pre-commit hook Added `conftest_policies` hook to `.pre-commit-config.yaml`: - Runs `conftest test --policy policy/` on all staged YAML files - Excludes `charts/`, `templates/`, and `.woodpecker/` paths ### Existing violations fixed Fixes all resource normalization violations found by the new policies: - `puppet/deployment_puppetdb.yaml` — cpu limit `1` → `"1"` - `puppet/deployment_puppetserver-master.yaml` — cpu `2` → `"2"`, memory `1024Mi` → `1Gi` - `puppet/deployment_puppetserver-compiler.yaml` — cpu `2` → `"2"`, memory `3072Mi` → `3Gi`, `1024Mi` → `1Gi` - `puppet/deployment_puppetboard.yaml` — memory `1024Mi` → `1Gi` - `reposync/cronjob_reposync-*.yaml` (4 files) — cpu `2000m` → `"2"` `kanidm/tlsroute.yaml` and `puppet/service_puppetdb.yaml` are fixed in PRs #165 and #166 respectively.
unkinben added 1 commit 2026-05-25 00:00:56 +10:00
feat(opa): add conftest OPA policies and pre-commit hook
ci/woodpecker/pr/pre-commit Pipeline failed
ci/woodpecker/pr/kubeconform Pipeline was successful
d0b3c26223
Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).

Policies:
  no_ingress.rego
    Deny Ingress resources — cluster uses Gateway API only.

  gateway_api.rego
    HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
    group/kind/weight on backendRefs (PR #162, #165).
    Gateway: require explicit group on certificateRefs (PR #153).
    All fields are defaulted by the controller; omitting them causes
    permanent ArgoCD OutOfSync.

  resource_normalization.rego
    CPU integer: deny unquoted integer cpu values (PR #163).
    CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
    Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
    clusterIP null: deny Service with explicit null clusterIP (PR #166).

Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
Some required checks failed
ci/woodpecker/pr/pre-commit Pipeline failed
Required
Details
ci/woodpecker/pr/kubeconform Pipeline was successful
Required
Details
Checking for merge conflicts…
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin benvin/opa_policies:benvin/opa_policies
git checkout benvin/opa_policies
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#167