KPR is an Open Policy Agent policies that validates multiple kubernetes manifests.
NOTE: This is an experimental project. Please report problems to the issue.
When generating a manifest with helm, kustomize, etc., there is no way to validate relevant values across multiple manifests.
For example, kubeval is a great tool, but it can't verify that port values match for Ingress, Service and Deployment.
So KPR uses OPA to define a policies that verifies that the relevant values are correct.
- KPR only verifies related values
- KPR validates related values even within the same manifest
- KPR always assumes that the latest stable kubernetes specification is correct
- Policies defined in KPR can be partially turned off
$ conftest pull github.com/k-kinzal/kubernetes-relational-policy/
$ conftest test [your manifest]
# or
$ conftest test --combine [your manifest1] [your manifest2]
# or
$ helm template . | conftest test --combine - In KPR, you can turn off the policy by loading the configuration.
$ cat <<EOS >config.yaml
apiVersion: k-kinzal.github.io/v1beta1
kind: KubernetesRelationalPolicy
spec:
ingress:
disableAllRule: true
disableMatchBackendServiceRule: false
service:
disableAllRule: false
disableMatchTargetPortPodRule: false
deployment:
disableAllRule: false
disableMatchLabelSelector: false
EOS
$ conftest test --combine config.yaml [your manifest]The latest definition of configuration can be found here.