Need help with konstraint?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

plexsystems
151 Stars 18 Forks MIT License 116 Commits 10 Opened issues

Description

A policy management tool for interacting with Gatekeeper

Services available

!
?

Need anything else?

Contributors list

Konstraint

Go Report Card GitHub release

logo

Konstraint is a CLI tool to assist with the creation and management of templates and constraints when using Gatekeeper.

Installation

GO111MODULE=on go get github.com/plexsystems/konstraint

Binaries are also available on the releases page.

Usage

To create the Gatekeeper resources, use

konstraint create 
.

To generate the accompanying documentation, use

konstraint doc 
.

Both commands support the

--output
flag to specify where to save the output. For more detailed usage documentation, see the CLI Documentation.

Why this tool exists

Automatically copy Rego to the ConstraintTemplate

When writing policies for Gatekeeper, the Rego must be added to ConstraintTemplates in order for Gatekeeper to enforce the policy. This creates a scenario in which the Rego is written in a

.rego
file, and then copied into the ConstraintTemplate. When a change is needed to be made to the Rego, both instances must be updated.

Automatically update all ConstraintTemplates with library changes

Gatekeeper supports importing libraries into

ConstraintTemplates
with the
libs
field. If a change is required to the imported library, every template must be updated to include this new change.

Enable writing the same policies for Conftest and Gatekeeper

With Gatekeeper, policies are evaluated in the context of an AdmissionReview. This means that policies are typically written with a prefix of

input.review.object
.

With Conftest, policies are written against

yaml
files.

This creates a scenario where the policy needs to be written differently depending upon the context in which the policy is being evaluated in.

Kubernetes Libraries

In the examples/lib directory, there are multiple libraries that enable policies to be written for both Conftest and Gatekeeper.

You can include as little or as many of these libraries into your policies as desired.

Purpose

By first validating the Kubernetes manifests with

Conftest
on a local machine, we can catch manifests that would otherwise violate policy without needing to deploy to a cluster running Gatekeeper.

FAQ

Konstraint ran without error, but I don't see any new files.

This typically means no policies were found, or the policies did not have any

violation[]
rules, so they are not compatible with Gatekeeper.

For more information, see How Constraints are Created.

My ConstraintTemplates are missing the input parameters

Input parameters can be specified by using one or more

@parameter  
tags in the comment header block. If you use input parameters, Konstraint will skip generating the
Constraint
resource for that policy.

For more information, see Using Input Parameters.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.