docs: update Conftest integration (aquasecurity#778)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
AshkanRafiee · Oct 27, 2021 · 04efb58 · 04efb58
1 parent e37c02e
commit 04efb58
Showing 1 changed file with 53 additions and 35 deletions.
diff --git a/docs/integrations/config-checkers/conftest.md b/docs/integrations/config-checkers/conftest.md
@@ -1,7 +1,7 @@
 # Conftest
 
 [Conftest] helps you write tests against structured configuration data. Using Conftest you can write tests for your
-Kubernetes configuration. Conftest uses the Rego language from [Open Policy Agent][OPA] for writing the assertions.
+Kubernetes configuration. Conftest uses the Rego language from [Open Policy Agent] for writing the assertions.
 
 Here's a simple policy that checks whether a given container runs as root:
 
@@ -59,10 +59,12 @@ As an example, let's create the `starboard-conftest-config` ConfigMap with [file
 ```
 kubectl create configmap starboard-conftest-config -n <starboard_namespace> \
   --from-literal=conftest.imageRef=openpolicyagent/conftest:v0.25.0 \
-  --from-file=conftest.policy.kubernetes.rego=kubernetes/lib/kubernetes.rego \
-  --from-file=conftest.policy.utils.rego=kubernetes/lib/utils.rego \
+  --from-file=conftest.library.kubernetes.rego=kubernetes/lib/kubernetes.rego \
+  --from-file=conftest.library.utils.rego=kubernetes/lib/utils.rego \
   --from-file=conftest.policy.file_system_not_read_only.rego=kubernetes/policies/general/file_system_not_read_only.rego \
-  --from-file=conftest.policy.uses_image_tag_latest.rego=kubernetes/policies/general/uses_image_tag_latest.rego
+  --from-file=conftest.policy.uses_image_tag_latest.rego=kubernetes/policies/general/uses_image_tag_latest.rego \
+  --from-literal=conftest.policy.file_system_not_read_only.kinds=Workload \
+  --from-literal=conftest.policy.uses_image_tag_latest.kinds=Workload
 ```
 
 To test this setup out with Starboard CLI you can create the `nginx` Deployment with the latest `nginx` image and check
@@ -79,36 +81,52 @@ starboard scan configauditreports deployment/nginx
 Finally, inspect the ConfigAuditReport to confirm that the Deployment is not compliant with test policies:
 
 ```console
-$ kubectl get configauditreport deployment-nginx -o jsonpath='{.report}' | jq
-{
-  "checks": [
-    {
-      "category": "Security",
-      "checkID": "Root file system is not read-only",
-      "message": "container nginx of deployment nginx in default namespace should set securityContext.readOnlyRootFilesystem to true",
-      "severity": "DANGER",
-      "success": false
-    },
-    {
-      "category": "Security",
-      "checkID": "Image tag \":latest\" used",
-      "message": "container nginx of deployment nginx in default namespace should specify image tag",
-      "severity": "DANGER",
-      "success": false
-    }
-  ],
-  "scanner": {
-    "name": "Conftest",
-    "vendor": "Open Policy Agent",
-    "version": "v0.25.0"
-  },
-  "summary": {
-    "dangerCount": 2,
-    "passCount": 0,
-    "warningCount": 0
-  },
-  "updateTimestamp": "2021-04-15T13:54:49Z"
-}
+$ starboard get configauditreports deployment/nginx -o yaml
+apiVersion: aquasecurity.github.io/v1alpha1
+kind: ConfigAuditReport
+metadata:
+  creationTimestamp: "2021-10-27T12:42:20Z"
+  generation: 1
+  labels:
+    plugin-config-hash: 5d5f578dd6
+    resource-spec-hash: 7d48b6dfcf
+    starboard.resource.kind: ReplicaSet
+    starboard.resource.name: nginx-6799fc88d8
+    starboard.resource.namespace: default
+  name: replicaset-nginx-6799fc88d8
+  namespace: default
+  ownerReferences:
+  - apiVersion: apps/v1
+    blockOwnerDeletion: false
+    controller: true
+    kind: ReplicaSet
+    name: nginx-6799fc88d8
+    uid: cdfd93d7-9419-4e2d-a120-107bed2f3d57
+  resourceVersion: "88048"
+  uid: 362d5b06-65a5-4925-bf96-19d23f088e0c
+report:
+  updateTimestamp: "2021-10-27T12:42:20Z"
+  scanner:
+    name: Conftest
+    vendor: Open Policy Agent
+    version: v0.25.0
+  summary:
+    dangerCount: 2
+    passCount: 0
+    warningCount: 0
+  checks:
+  - category: Security
+    checkID: Root file system is not read-only
+    message: Container 'nginx' of ReplicaSet 'nginx-6799fc88d8' should set 'securityContext.readOnlyRootFilesystem'
+      to true
+    severity: danger
+    success: false
+  - category: Security
+    checkID: Image tag ':latest' used
+    message: Container 'nginx' of ReplicaSet 'nginx-6799fc88d8' should specify an
+      image tag
+    severity: danger
+    success: false
 ```
 
 !!! Tip
@@ -126,7 +144,7 @@ $ kubectl get configauditreport deployment-nginx -o jsonpath='{.report}' | jq
 | `conftest.resources.limits.memory`   | `300M`                                       | The maximum amount of memory allowed to run Conftest scanner pod. |
 
 
-[OPA]: https://www.openpolicyagent.org
+[Open Policy Agent]: https://www.openpolicyagent.org
 [Conftest]: https://github.com/open-policy-agent/conftest
 [AppShield]: https://github.com/aquasecurity/appshield
 [kubernetes.rego]: https://raw.githubusercontent.com/aquasecurity/appshield/master/kubernetes/lib/kubernetes.rego