This repo contains the company policy that has been codified into kyverno and checkov policies.
See app1, app2 and app3 for kubernetes implementations; and infra1, infra2 and infra3 for terraform implementations.
These are kept in kubernetes/kyverno and can be added to by creating a new directory, and referencing this in the kustomization.yaml. It is important that test cases are created and a test.yaml accompanies the policy.yaml following the documentation of developing kyverno policy.
If you want to inherit an external policy for example from the kyverno policy library you can add the reference in the kustomization.yaml. If doing this, it is important for the stability of the policy to reference an immutable reference such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable.
Testing can be accomplished with:
$ kyverno test .Similar to the Kubernetes policies these are in infra/checkov and can be added to by creating a new directory. checkov doesn't yet have a formalised testing pattern for policy. So a BATS testing framework has been implemented. Policy can be written either as python or yaml.
If you want to inherit an external policy for example one of the checks built in to checkov you can add to the checks in the checkov config.
If doing this, it is important for the stability of the policy to reference specific checks and an immutable reference where available such as a git-sha to ensure that the implementations of policy checking based on this repo are deterministic and repeatable.
Testing can be accomplished with:
$ bats infra/checkov/test.batsSee the What is Policy As [versioned] Code? blog post and the github organisation's .github repo to better understand how the repositories connect together.