This repo uses as a combination of bats, conftest and gatekeeper to validate the rego policies.
Each policy lives under its own directory, i.e.: policy/ocp/bestpractices/common-k8s-labels-notset. Every policy must have a test_data directory; within that directory, there should be:
- unit: should contain only the YAML needed to execute the policy, i.e.: a cut down version
- integration: should contain valid YAML which can be deployed to a cluster which only triggers the policy under-test
Each policy must have a BATS test executed by its usecase:
- unit test files will be executed by _test/conftest-unittests.sh.
- integration test files targeting OCP will be executed by _test/gatekeeper-integrationtests.sh.
- integration test files targeting k8s will be executed by _test/gatekeeper-k8s-integrationtests.sh.
Each policy, if applicable, must have an opa eval --profile test executed by _test/opa-profile.sh.
bats _test/conftest-unittests.shbats _test/opa-profile.sh_test/deploy-gatekeeper.sh deploy_gatekeeper
_test/deploy-gatekeeper.sh deploy_constraints
bats _test/gatekeeper-integrationtests.shBy default, Gatekeeper watches all projects, unless they are labeled admission.gatekeeper.sh/ignore.
If you only want Gatekeeper to watch the project created by _test/gatekeeper-integrationtests.sh,
run the below before deploy_constraints:
_test/deploy-gatekeeper.sh patch_namespaceselectorThe following tools must be installed locally: