redhat-cop/rego-policies

add schema validation to opa eval scripts

garethahealy opened this issue ยท 11 comments

did abit of playing around tonight. probably need to merge a couple of schemas to get something working due to how the rego is currently written:

$ opa eval --format pretty --input /tmp/rhcop/19-03-2021-17-27/policy/ocp/bestpractices/common-k8s-labels-notset/test_data/unit/list.yml --data policy/lib --data policy/lib/kubernetes.rego --data policy/lib/openshift.rego --data policy/ocp/bestpractices/common-k8s-labels-notset/src.rego --schema _test/openshift-json-schema/release-4.5-local/deploymentconfig-apps-v1.json data.ocp.bestpractices.common_k8s_labels_notset
2 errors occurred:
policy/lib/konstraint/core.rego:7: rego_type_error: undefined ref: input.review
	input.review
	      ^
	      have: "review"
	      want (one of): ["apiVersion" "kind" "metadata" "spec" "status"]
policy/lib/konstraint/core.rego:10: rego_type_error: undefined ref: input.review.object
	input.review.object
	      ^
	      have: "review"
	      want (one of): ["apiVersion" "kind" "metadata" "spec" "status"]
	      

even generating a schema that wraps a gatekeeper review + target kind (see attached), still hit issues around how the rego is written to handle multiple types:

policy/lib/konstraint/pods.rego:16: rego_type_error: undefined ref: data.lib.konstraint.core.resource.spec.jobTemplate.spec.template
	data.lib.konstraint.core.resource.spec.jobTemplate.spec.template
	                                       ^
	                                       have: "jobTemplate"
	                                       want (one of): ["template"]

schema.log

added example showing the above:

git clone --branch schema-playground --depth 1 https://github.com/garethahealy/rego-policies.git
cd rego-policies
_test/testing-schema.sh

@aavarghese @vazirim thoughts?

wondering if this would be resolved by passing in the schemas dir. this PR suggests that's supported but can't see where it made the release and when I've tried to pass in a dir, i get a read error:

opa eval --input /tmp/rhcop/23-03-2021-10-40/policy/ocp/bestpractices/common-k8s-labels-notset/test_data/unit/list.yml --data policy/lib --data policy/ocp/bestpractices/common-k8s-labels-notset/src.rego --schema _test/openshift-json-schema/release-4.5-local/ --profile --format pretty data.ocp.bestpractices.common_k8s_labels_notset read _test/openshift-json-schema/release-4.5-local/: is a directory

@garethahealy yes PR 3123 hasn't been merged yet but it's very close. It will be available in the next release of OPA.
It has support for schema directories and schema annotations attached to rules.

hey @vazirim ; I've tried with that PR as well but don't get any schema warnings when I'd expect to:

any ideas what I might be doing wrong?

CC @sabre1041

the above commit link has comments around how we could use it.

@garethahealy @sabre1041 the latest release of OPA (v0.28.0) released yesterday contains support for schema annotations and uploading a directory of JSON schemas to the OPA engine. Compared to the previous release it supports schemas for both input and data documents. There are several features for globally scoped annotations and various other scopes, which should hopefully help with Rego library development for COP. Please check it out and let us know if you have any feedback. Hereโ€™s the documentation: https://www.openpolicyagent.org/docs/latest/schemas/ cc: @vazirim

@aavarghese i saw the tweet and medium post!

@aavarghese ; can the schema validation be used with variables?

i.e.: https://github.com/redhat-cop/rego-policies/blob/master/policy/ocp/bestpractices/container-env-maxmemory-notset/src.rego#L23-L27

could I add the below schema to the above method?

# METADATA
# scope: rule
# schemas:
# - container: schema["container-v1"]

I've obviously tried but get:

rego_parse_error: invalid document reference

@garethahealy Today the schema support in OPA only allows the path refs to either be input or data.

We have future plans to look into supporting other refs for rule inputs/outputs etc. This is a good example usecase for variables - thanks for sharing! Will let you know if there are updates. cc: @vazirim