Skip to content

Commit

Permalink
Added warn-podman-history-bestpractices (#33)
Browse files Browse the repository at this point in the history
  • Loading branch information
garethahealy authored Jun 24, 2020
1 parent 7448345 commit e06b1b9
Show file tree
Hide file tree
Showing 6 changed files with 205 additions and 0 deletions.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ Current policies in this repo are below. The naming of the policy files follows
- [warn-ocp-deploymentconfig-bestpractices.rego](policy/warn-ocp-deploymentconfig-bestpractices.rego)
- warn rules to check DeploymentConfig conform to standard practices; i.e.: triggers are set

- [warn-podman-history-bestpractices.rego](policy/warn-podman-history-bestpractices.rego)
- warn rules to check a wrapped JSON output of "podman history"; i.e.: expected base layer is found.

## 3rd Party Policies
A list of git repos that contain rego polices which can be combined with this repo:
- [deprek8ion: Rego policies to monitor Kubernetes APIs deprecations](https://github.com/swade1987/deprek8ion)
Expand Down
11 changes: 11 additions & 0 deletions _test/conftest.sh
Original file line number Diff line number Diff line change
Expand Up @@ -187,4 +187,15 @@ load _helpers
[ "${lines[1]}" = "# Warnings" ]
[ "${lines[2]}" = "not ok 1 - /tmp/rego-policies/_test/warn-ocp-deploymentconfig-bestpractices/list-DeploymentConfig.yml - DeploymentConfig/NoTriggers: has no triggers set. Could you use a k8s native Deployment? See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment" ]
[ "${lines[3]}" = "# Successes" ]
}

@test "_test/warn-podman-history-bestpractices" {
copy_file_via_jq "_test/warn-podman-history-bestpractices/jenkins-python-mising.json"
run conftest test /tmp/rego-policies/_test/warn-podman-history-bestpractices/jenkins-python-mising.json --output tap

print_err "$status" "$output"
[ "$status" -eq 0 ]
[ "${lines[1]}" = "# Warnings" ]
[ "${lines[2]}" = "not ok 1 - /tmp/rego-policies/_test/warn-podman-history-bestpractices/jenkins-python-mising.json - quay.io/redhat-cop/jenkins-agent-python:has-missing-sha: did not find expected SHA" ]
[ "${lines[3]}" = "# Successes" ]
}
48 changes: 48 additions & 0 deletions _test/warn-podman-history-bestpractices/jenkins-base.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"kind": "PodmanHistory",
"image": "quay.io/openshift/origin-jenkins-agent-base:4.4",
"items": [
{
"id": "cd343f0d83042932fa992e095cd4a93a89a3520873f99b0e15fde69eb46e7e10",
"created": "2020-06-13T00:10:44.644429651Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 142760172,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-12T14:14:33.678935249Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 23654098,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-12T00:01:02.659155605Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 8228164,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-11T23:59:19.028786352Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 381,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-05-11T17:22:52.084344Z",
"createdBy": "",
"size": 1598,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-05-11T17:22:43.455017502Z",
"createdBy": "",
"size": 76275160,
"comment": "Imported from -"
}
]
}
62 changes: 62 additions & 0 deletions _test/warn-podman-history-bestpractices/jenkins-python-mising.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
{
"kind": "PodmanHistory",
"image": "quay.io/redhat-cop/jenkins-agent-python:has-missing-sha",
"items": [
{
"id": "6135f0ff5da4d6c5ebcfe38fcf52bab3a49c43de9ad6bb3884bef59b10ecbdca",
"created": "2020-06-19T10:36:48.712467197Z",
"createdBy": "/bin/sh -c #(nop) USER 1001",
"size": 48,
"comment": ""
},
{
"id": "6f83ff5c1a57b73a7d7858800fad7189f2e685149b85f3904d59f0bbcab0f66e",
"created": "2020-06-19T10:36:45.820561751Z",
"createdBy": "/bin/sh -c #(nop) ENV PYTHON_VERSION=3.6 PATH=$HOME/.local/bin/:$PATH PYTHONUNBUFFERED=1 PYTHONIOENCODING=UTF-8 LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PIP_NO_CACHE_DIR=off",
"size": 1024,
"comment": ""
},
{
"id": "240094e9dbde7f8daf02a3c053dd308db13d7937177fbd768ecae594f60c7d78",
"created": "2020-06-19T10:36:42.813278695Z",
"createdBy": "/bin/sh -c #(nop) EXPOSE 8080",
"size": 1024,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-12T14:14:33.678935249Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 75718144,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-12T00:01:02.659155605Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 22415872,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-11T23:59:19.028786352Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 4608,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-05-11T17:22:52.084344Z",
"createdBy": "",
"size": 20480,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-05-11T17:22:43.455017502Z",
"createdBy": "",
"size": 215326720,
"comment": "Imported from -"
}
]
}
69 changes: 69 additions & 0 deletions _test/warn-podman-history-bestpractices/jenkins-python.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"kind": "PodmanHistory",
"image": "quay.io/redhat-cop/jenkins-agent-python:latest",
"items": [
{
"id": "6135f0ff5da4d6c5ebcfe38fcf52bab3a49c43de9ad6bb3884bef59b10ecbdca",
"created": "2020-06-19T10:36:48.712467197Z",
"createdBy": "/bin/sh -c #(nop) USER 1001",
"size": 48,
"comment": ""
},
{
"id": "6f83ff5c1a57b73a7d7858800fad7189f2e685149b85f3904d59f0bbcab0f66e",
"created": "2020-06-19T10:36:45.820561751Z",
"createdBy": "/bin/sh -c #(nop) ENV PYTHON_VERSION=3.6 PATH=$HOME/.local/bin/:$PATH PYTHONUNBUFFERED=1 PYTHONIOENCODING=UTF-8 LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PIP_NO_CACHE_DIR=off",
"size": 1024,
"comment": ""
},
{
"id": "240094e9dbde7f8daf02a3c053dd308db13d7937177fbd768ecae594f60c7d78",
"created": "2020-06-19T10:36:42.813278695Z",
"createdBy": "/bin/sh -c #(nop) EXPOSE 8080",
"size": 1024,
"comment": ""
},
{
"id": "cd343f0d83042932fa992e095cd4a93a89a3520873f99b0e15fde69eb46e7e10",
"created": "2020-06-13T00:10:44.644429651Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 412219904,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-12T14:14:33.678935249Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 75718144,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-12T00:01:02.659155605Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 22415872,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-06-11T23:59:19.028786352Z",
"createdBy": "#(imagebuilder)\nsleep 86400",
"size": 4608,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-05-11T17:22:52.084344Z",
"createdBy": "",
"size": 20480,
"comment": ""
},
{
"id": "<missing>",
"created": "2020-05-11T17:22:43.455017502Z",
"createdBy": "",
"size": 215326720,
"comment": "Imported from -"
}
]
}
12 changes: 12 additions & 0 deletions policy/warn-podman-history-bestpractices.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
package main

warn[msg] {
input.kind == "PodmanHistory"
not imageHistoryContainsLayer(input.items)

msg := sprintf("%s: did not find expected SHA", [input.image])
}

imageHistoryContainsLayer(layers) {
layers[_].id == "cd343f0d83042932fa992e095cd4a93a89a3520873f99b0e15fde69eb46e7e10"
}

0 comments on commit e06b1b9

Please sign in to comment.