Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

A library of constraint templates and sample constraints for Constraint Framework tools

License

NotificationsYou must be signed in to change notification settings

GoogleCloudPlatform/policy-library

Repository files navigation

This repo contains a library of constraint templates and sample constraints.

For information on setting up Config Validator to secure your environment, see theUser Guide.

Initializing a policy library

You can easily set up a new (local) policy library by downloading abundle usingkpt.

Download the full policy library and install theForseti bundle:

export BUNDLE=forseti-securitykpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-librarykpt fn source policy-library/samples/ | \  kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \  kpt fn sink policy-library/policies/constraints/$BUNDLE

Once you have initialized a library, you might want to save it togit.

Developing a Constraint

If this library doesn't contain a constraint that matches your use case, you can develop a new oneusing theConstraint Template Authoring Guide.

Available Commands

make audit                          Run audit against real CAI dump datamake build                          Format and buildmake build_templates                Inline Rego rules into constraint templatesmake debug                          Show debugging output from OPAmake format                         Format Rego rulesmake help                           Prints help for targets with commentsmake test                           Test constraint templates via OPA

Inlining

You can runmake build to automatically inline Rego rules into your constraint templates.

This is done by finding aINLINE("filename") and#ENDINLINE statements in your yaml,and replacing everything in between with the contents of the file.

For example, runningmake build would replace the raw content with the replaced content below

Raw:

#INLINE("my_rule.rego")# This text will be replaced#ENDINLINE

Replaced:

#INLINE("my_rule.rego")#contents of my_rule.rego#ENDINLINE

Linting Policies

Config Validator provides a policy linter. You can invoke it as:

go get github.com/GoogleCloudPlatform/config-validator/cmd/policy-toolpolicy-tool --policies ./policies --policies ./samples --libs ./lib

Local CI

You can run the cloudbuild CI locally as follows:

gcloud components install cloud-build-localcloud-build-local --config ./cloudbuild.yaml --dryrun=false .

Updating CI Images

You can update the CI images to add new versions of rego/opa as they are released.

# Rebuild all images.make -j ci-images# Rebuild a single imagemake ci-image-v1.16.0

About

A library of constraint templates and sample constraints for Constraint Framework tools

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors48

[8]ページ先頭
©2009-2025 Movatter.jp