Overview
In this article, we are going to learn about how to create Deny / Allow rule for Kubernetes POD image.
Working Example
Let’s create a Directory called test6 and create 3 files like below:
policy.rego
package kubernetes
deny[msg] {
some j
input.request.kind.kind == "Pod"
# The `some` keyword declares local variables. This rule declares a variable
# The policy checks if the container object's `"image"` field does not
# start with "hooli.com/".
image := input.request.object.spec.containers[j].image
name := input.request.object.spec.containers[j].name
not startswith(image, "hooli.com/")
msg := sprintf("Image '%v' comes '%v' from untrusted registry", [image,name])
}
allow {
some j
input.request.kind.kind == "Pod"
# The policy allows if the container object's `"image"` field
# start with "hooli.com/".
image := input.request.object.spec.containers[j].image
name := input.request.object.spec.containers[j].name
startswith(image, "hooli.com/")
}
input.json
{
"kind": "AdmissionReview",
"request": {
"kind": {
"kind": "Pod",
"version": "v1"
},
"object": {
"metadata": {
"name": "myapp"
},
"spec": {
"containers": [
{
"image": "hooli.com/nginx",
"name": "nginx-frontend"
},
{
"image": "mysql",
"name": "mysql-backend"
}
]
}
}
}
}
Testing The policy
1. Testing Deny policy using “opa eval” command:
opa eval --input input.json --data policy.rego 'data.kubernetes.deny'The Output:
rajeevghosh@penguin:~/OPA/test6$ opa eval --input input.json --data policy.rego 'data.kubernetes.deny'
{
"result": [
{
"expressions": [
{
"value": [
"Image 'mysql' comes 'mysql-backend' from untrusted registry"
],
"text": "data.kubernetes.deny",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
2. Testing Allow policy using “opa eval” command:
opa eval --input input.json --data policy.rego 'data.kubernetes.allow'The output:
rajeevghosh@penguin:~/OPA/test6$ opa eval --input input.json --data policy.rego 'data.kubernetes.allow'
{
"result": [
{
"expressions": [
{
"value": true,
"text": "data.kubernetes.allow",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}Excellent So far !! Now let’s write some test cases for our policy.
Writing Test Cases ( Testing the Rules as a whole)
Please create “policy_test.rego” like below:
Here, we are writing 2 test cases : – One for deny rule and One for allow rule each.
We are expecting both test cases to pass since in deny rule we are passing mysql image also in our input data , which is not allowed.
Similarly, Allow rule should also pass since we are passing only valid image “hooli.com/nginx” in input data.
policy_test.rego
package test
import data.kubernetes.deny
import data.kubernetes.allow
test_mysql_is_not_allowed {
deny with input as {
"kind": "AdmissionReview",
"request": {
"kind": {
"kind": "Pod",
"version": "v1"
},
"object": {
"metadata": {
"name": "myapp"
},
"spec": {
"containers": [
{
"image": "hooli.com/nginx",
"name": "nginx-frontend"
},
{
"image": "mysql",
"name": "mysql-backend"
}
]
}
}
}
}
}
test_hooli_is_allowed {
allow with input as {
"kind": "AdmissionReview",
"request": {
"kind": {
"kind": "Pod",
"version": "v1"
},
"object": {
"metadata": {
"name": "myapp"
},
"spec": {
"containers": [
{
"image": "hooli.com/nginx",
"name": "nginx-frontend"
},
]
}
}
}
}
}
Now let’s run the test.
rajeevghosh@penguin:~/OPA/test6$ opa test .
PASS: 2/2
rajeevghosh@penguin:~/OPA/test6$ 
So, both of our test cases have passed. This is what we have predicted, right ??
The code: You can download the code from git repo.
Happy Learning !!
