• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

GoogleCloudPlatform/policy-library: A library of constraint templates and sample ...

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

GoogleCloudPlatform/policy-library

开源软件地址(OpenSource Url):

https://github.com/GoogleCloudPlatform/policy-library

开源编程语言(OpenSource Language):

TypeScript 66.5%

开源软件介绍(OpenSource Introduction):

Config Validator Policy Library

Bundles | Templates | Sample Constraints

This repo contains a library of constraint templates and sample constraints.

For information on setting up Config Validator to secure your environment, see the User Guide.

Initializing a policy library

You can easily set up a new (local) policy library by downloading a bundle using kpt.

Download the full policy library and install the Forseti bundle:

export BUNDLE=forseti-security
kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
  kpt fn sink policy-library/policies/constraints/$BUNDLE

Once you have initialized a library, you might want to save it to git.

Developing a Constraint

If this library doesn't contain a constraint that matches your use case, you can develop a new one using the Constraint Template Authoring Guide.

Available Commands

make audit                          Run audit against real CAI dump data
make build                          Format and build
make build_templates                Inline Rego rules into constraint templates
make debug                          Show debugging output from OPA
make format                         Format Rego rules
make help                           Prints help for targets with comments
make test                           Test constraint templates via OPA

Inlining

You can run make build to automatically inline Rego rules into your constraint templates.

This is done by finding a INLINE("filename") and #ENDINLINE statements in your yaml, and replacing everything in between with the contents of the file.

For example, running make build would replace the raw content with the replaced content below

Raw:

#INLINE("my_rule.rego")
# This text will be replaced
#ENDINLINE

Replaced:

#INLINE("my_rule.rego")
#contents of my_rule.rego
#ENDINLINE

Linting Policies

Config Validator provides a policy linter. You can invoke it as:

go get github.com/GoogleCloudPlatform/config-validator/cmd/policy-tool
policy-tool --policies ./policies --policies ./samples --libs ./lib

Local CI

You can run the cloudbuild CI locally as follows:

gcloud components install cloud-build-local
cloud-build-local --config ./cloudbuild.yaml --dryrun=false .

Updating CI Images

You can update the CI images to add new versions of rego/opa as they are released.

# Rebuild all images.
make -j ci-images

# Rebuild a single image
make ci-image-v1.16.0



鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap