KubeCon + CloudNativeCon Europe Virtual | August 17-20, 2020 | Don’t Miss Out | Learn more

Conftest joins the Open Policy Agent project

Project Post

Guest post from Gareth Rushgrove, maintainer of the Open Policy Agent project

Today the Open Policy Agent maintainers are happy to announce that Conftest has formally joined the project.

A bit of history

Conftest is a command line tool for testing configuration files and uses Open Policy Agent under the hood. I built it for two reasons; the first being I wanted a developer-friendly tool for testing configuration data. The second reason was I wanted an excuse to learn Open Policy Agent!

Conftest was first demoed at KubeCon + CloudNativeCon EU in Barcelona in May 2019. The first version provided a simple command line tool, really nothing more than some built-in conventions and a high-level CLI user interface wrapping Open Policy Agent functionality.

It turned out that the use case, having a friendly way of testing a range of different configuration file formats and integrating the results into developer tools, resonated with the community. Surprisingly quickly pull requests started to flow in.

Step forward to today, and Conftest has seen over 200 pull requests from more than 30 contributors. The project has a team of maintainers and regular contributors from a range of different organizations. We’ve had an active channel on the Open Policy Agent Slack for the last year. We have integrations with CircleCI, GitHub Actions and Tekton Pipelines. Support for testing a wide range of configuration formats, including YAML, JSON, HCL, TOML, Dockerfile and more. We’ve also been leading on work to help users share OPA Bundles more easily, with tools for sharing via Git, HTTP, S3 and OCI registries. 

Conftest today

Conftest fits nicely into the overall Open Policy Agent project. OPA itself provides the policy engine, a general-purpose CLI tool and defines the Rego language that’s used by users to write policies. But it’s designed mainly as a component that can be used for lots of different use cases. Conftest is focused purely on building the best developer experience for testing configuration files on top of that more generic engine.

$ conftest test deployment.yaml

FAIL - deployment.yaml - Containers must not run as root

FAIL - deployment.yaml - Deployments are not allowed

2 tests, 0 passed, 0 warnings, 2 failures

While the above example is for Kubernetes, Conftest can be used to test a wide range of configuration file formats. You can write tests for your Envoy JSON configuration files or your Linkerd YAML files or we have a Helm plugin for testing Helm charts for example.

You can find out more about using Conftest, including lots of examples, by reading the documentation at conftest.dev.

Conftest also works well with the other Open Policy Agent subproject, Gatekeeper. While Gatekeeper focuses on securing a Kubernetes cluster, Conftest’s focus is earlier in the development process. By virtue of them both using Open Policy Agent under the hood, the same policies can be used in both tools, making using them together a real end-to-end solution.

The future

With Conftest formally joining the Open Policy Agent project we’re already talking about moving some of the features from Conftest into OPA itself. Conftest has acted as a great place to innovate on top of the core engine with things like input format parsing and sharing tools. With the projects now working even more closely together, it’s even easier to benefit all Open Policy Agent users. 

Conftest itself will retain its focus on developer experience, and making Open Policy Agent as easy as possible to adopt for testing configuration.

Join us in the #conftest channel on the Open Policy Agent Slack and head over to the GitHub repository to get started using or contributing to Conftest.