Comments (12)
@artis3n Gatekeeper only supports data.lib.XYZ
imports, so that is also what Konstraint supports. This has caused issues in the past with attempting to have conftest be able to test with input parameters supplied via the --data
flag (#108 and #86). However, it's up to the Gatekeeper team about what is allowed. Relevant discussion is here: open-policy-agent/gatekeeper#1046
from konstraint.
Ah ha, thanks for that context. There's the additional difference that the lib/
directory under the examples in this repo only contains rego files. I don't see any data imports to mimic the yaml that can be passed into conftest [verify/test] --data
. I am guessing konstraint only supports rego data imports then?
from konstraint.
Yes, that is correct. It would be possible to add a --data
flag that would generate key:value pairs from YAML/JSON into Rego to include at a pre-determined data.lib.X
path, but I'd like to have a better understanding of the use case and benefits compared to just including that data in the policy itself or another object that Gatekeeper could sync and use in decisions such as a ConfigMap
.
from konstraint.
I am trying to generate policy documentation from a policy importing data with https://www.conftest.dev/options/#-data
Now I'm not using Gatekeeper...at the moment. We're using Conftest and then using Konstraint solely to generate policy documentation so I'm a bit out there as an edge case . But if this tool is supposed to maintain parity between conftest and gatekeeper I think this request is reasonable.
I have a policy looking at a Dockerfile and saying hey, only these private registries can be used. The registries are currently hard-coded into the rego as a variable but I want to break them out to publish the generic policy and let others be able to enter their own registry data without having to change the policy code.
Similarly using Conftest to enforce internal npm packages are published within our npm org scope. Want to publish that policy and similarly want to be able to do that and let other groups pass in --data
to conftest to set the appropriate npm org while still being able to conftest pull <policy>
and run it with their data without having to modify the rego source.
And in that world I want to leverage konstraint for nice policy documentation! Although I am not against going and replicating konstraint's policy documentation features in a separate tool that is tied to conftest, not gatekeeper, to handle more flexibility. I know this isn't the focus of your tool.
from konstraint.
Ah, OK I understand the intended use case now. Would the documentation include the input from the --data flag somehow? Or do you just need Konstraint to not error in this case?
from konstraint.
Yeah I don't see a reason the documentation needs to validate the rego, just mirror it in the markdown. If you want a --data
flag to do validation that works, but honestly just not checking the content and mirroring the rego source into the documentation would be fine.
from konstraint.
I assume the validation is more of a side effect of this than an intentional thing? Don't have all the moving pieces in my head yet
https://github.com/plexsystems/konstraint/blob/main/internal/commands/document.go#L112
from konstraint.
Well, I think we do want to parse the Rego to make sure it's valid, but we don't need to scan the imports for documentation generation so it sounds like removing that would fit your use case without straying from the purpose of Konstraint. I'll get something together to address this in the next few days.
from konstraint.
@artis3n Can you build from https://github.com/jalseth/konstraint/tree/fix-185 and let me know if it resolves your issue?
from konstraint.
That successfully generated my documentation in my test that was previously failing, thanks for the quick fix!
from konstraint.
Great! This has been included in the latest patch release.
from konstraint.
Thank you!
from konstraint.
Related Issues (20)
- Merge duplicate matcher annotations HOT 2
- Unexpected match.kinds generated when matching multiple apiGroups HOT 2
- Imports of specific rule from module not supported HOT 2
- Generate descriptions for parameters HOT 2
- Input parameters verification ignores assignment rules HOT 9
- Use OPA Rego rich metadata instead of custom @annotations HOT 3
- Allow defining object parameters HOT 2
- Provide a conversion tool from old annotations to OPA rich metadata annotations
- Legacy parameters warning is generated even for new style parameters HOT 1
- Remove legacy annotations support and refactor
- Migrate to PSS HOT 1
- Flag to generate templates to v1 from v1beta1 HOT 2
- Allow skipping creation of ConstraintTemplates entirely HOT 1
- Allow to add metadata like annotations to constraint automatically HOT 3
- Templates and Constraint files are not in CamelCasing after running konstraint create HOT 5
- Build binary for linux/arm64 HOT 1
- Lint examples with regal HOT 1
- containerdenyescalation HOT 2
- No arm64 docker image for konstraint HOT 1
- Documentation unclear
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from konstraint.