Giter VIP home page Giter VIP logo

policy-library's Introduction

Config Validator Policy Library

Bundles | Templates | Sample Constraints

This repo contains a library of constraint templates and sample constraints.

For information on setting up Config Validator to secure your environment, see the User Guide.

Initializing a policy library

You can easily set up a new (local) policy library by downloading a bundle using kpt.

Download the full policy library and install the Forseti bundle:

export BUNDLE=forseti-security
kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
  kpt fn sink policy-library/policies/constraints/$BUNDLE

Once you have initialized a library, you might want to save it to git.

Developing a Constraint

If this library doesn't contain a constraint that matches your use case, you can develop a new one using the Constraint Template Authoring Guide.

Available Commands

make audit                          Run audit against real CAI dump data
make build                          Format and build
make build_templates                Inline Rego rules into constraint templates
make debug                          Show debugging output from OPA
make format                         Format Rego rules
make help                           Prints help for targets with comments
make test                           Test constraint templates via OPA

Inlining

You can run make build to automatically inline Rego rules into your constraint templates.

This is done by finding a INLINE("filename") and #ENDINLINE statements in your yaml, and replacing everything in between with the contents of the file.

For example, running make build would replace the raw content with the replaced content below

Raw:

#INLINE("my_rule.rego")
# This text will be replaced
#ENDINLINE

Replaced:

#INLINE("my_rule.rego")
#contents of my_rule.rego
#ENDINLINE

Linting Policies

Config Validator provides a policy linter. You can invoke it as:

go get github.com/GoogleCloudPlatform/config-validator/cmd/policy-tool
policy-tool --policies ./policies --policies ./samples --libs ./lib

Local CI

You can run the cloudbuild CI locally as follows:

gcloud components install cloud-build-local
cloud-build-local --config ./cloudbuild.yaml --dryrun=false .

Updating CI Images

You can update the CI images to add new versions of rego/opa as they are released.

# Rebuild all images.
make -j ci-images

# Rebuild a single image
make ci-image-v1.16.0

policy-library's People

Contributors

aaronsutton avatar adrienwalkowiak avatar anandj123 avatar aolarte avatar briantkennedy avatar brunoreboul avatar charliewolf avatar daniel-cit avatar ddremund avatar dekuhn avatar fanchenbao avatar g-awmalik avatar gkowalski-google avatar hshin-g avatar joecheuk avatar katze120 avatar kevensen avatar maltarace avatar marine675 avatar matthewmarr avatar melinath avatar mmontan avatar morgante avatar onetwopunch avatar palani-ram-google-partner avatar reechar-goog avatar t12g avatar xingao267 avatar yunus avatar zhuzenglu avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.