You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Conftest helps you write tests against structured configuration data. Using Conftest you can
write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code,
Serverless configs or any other config files.
Conftest uses the Rego language from Open Policy Agent for writing
the assertions. You can read more about Rego in How do I write policies
in the Open Policy Agent documentation.
Here's a quick example. Save the following as policy/deployment.rego:
package main
deny contains msg if {
input.kind =="Deployment" not input.spec.template.spec.securityContext.runAsNonRoot
msg :="Containers must not run as root"
}
deny contains msg if {
input.kind =="Deployment" not input.spec.selector.matchLabels.app
msg :="Containers must provide app label for pod selectors"
}
Assuming you have a Kubernetes deployment in deployment.yaml you can run Conftest like so:
$ conftest test deployment.yamlFAIL - deployment.yaml - Containers must not run as rootFAIL - deployment.yaml - Containers must provide app label for pod selectors2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the documentation for installation instructions and
more details about the features.
