pbnj.github.io

Unit Testing Configuration Files

pile of paper garbage Infrastructure as Code. Photo courtesy: @Bass Emmen

Table of Contents

Overview

The era of Infrastructure-as-Code (IaC) has unlocked tremendous developer productivity and agility features. Now, as an Engineer, we can declare our infrastructure and environments as structured data in configuration files, such as Terraform templates, Dockerfiles, and Kubernetes manifests.

However, this agility and speed of provisioning and configuring infrastructure comes with a high risk of bugs in the form of misconfigurations.

Fortunately, we can solve this problem just as we can solve for other bugs in our products, by writing unit tests.

One such tool that can help us unit test our configuration files is conftest. What is unique about conftest is that it uses Open-Policy-Agent (OPA) and a policy language, called Rego to accomplish this.

This might appear difficult at first, but it will start to make sense.

Let’s explore 2 use-cases where we can test our configurations!

Getting Started

First, some prerequisites:

Dockerfile

Let’s say we want to prevent some images and/or tags (e.g. latest).

We need to create a simple Dockerfile:

FROM kalilinux/kali-linux-docker:latest

ENTRYPOINT ["echo"]

Now, we need to create our first unit test file, let’s call it test.rego, and place it in a directory, let’s call it policy (this is configurable).

package main

disallowed_tags := ["latest"]
disallowed_images := ["kalilinux/kali-linux-docker"]

deny[msg] {
        input[i].Cmd == "from"
        val := input[i].Value
        tag := split(val[i], ":")[1]
        contains(tag, disallowed_tags[_])

        msg = sprintf("[%s] tag is not allowed", [tag])
}

deny[msg] {
        input[i].Cmd == "from"
        val := input[i].Value
        image := split(val[i], ":")[0]
        contains(image, disallowed_images[_])

        msg = sprintf("[%s] image is not allowed", [image])
}

Assuming we are in the right directory, we can test our Dockerfile:

$ ls
Dockerfile      policy/

$ conftest test -i Dockerfile ./Dockerfile
FAIL - ./Dockerfile - [latest] tag is not allowed
FAIL - ./Dockerfile - [kalilinux/kali-linux-docker] image is not allowed

Just to be sure, let’s change this Dockerfile to pass the test:

# FROM kalilinux/kali-linux-docker:latest
FROM debian:buster

ENTRYPOINT ["echo"]
$ ls
Dockerfile      policy/

$ conftest test -i Dockerfile ./Dockerfile
PASS - ./Dockerfile - data.main.deny

“It works! But I don’t understand how,” I hear you thinking to yourself.

Let’s break the Rego syntax down:

Kubernetes

Let’s say we want to ensure that all pods are running as a non-root user.

We need to create our deployment

$ mkdir -p kubernetes
$ cat <<EOF >./kubernetes/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.7.9
          ports:
            - containerPort: 80
EOF

Now, we need to create our unit test:

$ mkdir -p ./kubernetejjjs/policy
$ cat <<EOF >./kubernetes/policy/test.rego
package main

name := input.metadata.name

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot

  msg = sprintf("Containers must run as non root in Deployment %s. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", [name])
}
EOF

And, let’s run it:

conftest test -i yaml ./kubernetes/deployment.yaml
FAIL - ./kubernetes/deployment.yaml - Containers must run as non root in Deployment nginx-deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

This is a bit more straightforward:

Next Steps

So, where to go from here?

The Rego language is vast and it can take a bit to wrap your head around how it works. You can even send and receive HTTP requests inside Rego.

I recommend reading the docs to learn more about Rego’s capabilities:

I also barely scratched the surface with conftest in this blog post. The repository has a nice list of examples that you should peruse at your leisure. conftest even supports sharing policies via uploading OPA bundles to OCI-compliant registries, e.g. conftest push ..., conftest pull ....

Lastly, if you have any questions, the OPA community is friendly and welcoming. Feel free to join the #conftest channel in OPA Slack.

Happy coding!