redhat-cop/rego-policies

Add readme how to use Gatekeeper

ch-stark opened this issue · 3 comments

I see some references to konstraint, is the way to go the use this tool to create the constraints/constrainttemplates from rego?

konstraint is just used to generate the template and constraint used by gatekeeper. If you look at one of the policies:

$ ls -lrt policy/ocp/bestpractices/common-k8s-labels-notset
total 16
-rw-r--r-- 1 gahealy 1438 Apr  8  2022 src.rego
drwxr-xr-x 4 gahealy  128 Apr  8  2022 test_data

There arent any gatekeeper CRs generated, running konstraint create --constraint-template-version v1 generates them:

$ ls -lrt policy/ocp/bestpractices/common-k8s-labels-notset
total 16
-rw-r--r-- 1 gahealy 1438 Apr  8  2022 src.rego
drwxr-xr-x 4 gahealy  128 Apr  8  2022 test_data
-rw-r--r-- 1 gahealy 5758 Dec  7 14:10 template.yaml
-rw-r--r-- 1 gahealy  582 Dec  7 14:10 constraint.yaml

The tool is nice and simple, but would I suggest a customer use konstraint? probably not. helm or kustomize can do the same job.

@garethahealy thanks, I would not know how to generator Contraints from Rego via Kustomize, I assume I'd need to use some transformer

added link to TESTING.md in README.md