Conftest: The path to more efficient and effective Kubernetes automated testing

LEVEL: BASIC

This TeraTip purpose is to take our DevSecOps pipelines to the next level! We are going to make use of Conftest. What is Conftest?

Conftest is a utility to help you write tests against structured configuration data. For instance, you could write tests for your Kubernetes configurations, Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.

Conftest relies on the Rego language from Open Policy Agent for writing policies. If you're unsure what exactly a policy is, or unfamiliar with the Rego policy language, the Policy Language documentation provided by the Open Policy Agent documentation site is a great resource to read.

We are going to make a brief demo to configure some rules on a Dockerfile. It's demo time!

1) Get familiar with the Rego language

2) Let's begin writing some rules for our Dockerfile. Execute the following

touch opa-docker-security.rego

Remember, don't forget the file extension, must be .rego

3) With your IDE of choice open the file and add the following rule

package main

# Do Not store secrets in ENV variables

secrets_env = [

"passed",

"password",

"pass",

"secret",

"key",

"access",

"api_key",

"apikey",

"token",