chore: policy linting

.github/workflows/policy-test.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Run Policy tests - v2 policies
         run: opa test ${{ env.GKE_POLICY_DIRECTORY_V2 }} -v
       - name: Setup Regal
-        uses: StyraInc/setup-regal@v0.2.0
+        uses: StyraInc/setup-regal@v1
         with:
-          version: v0.10.1
+          version: v0.20.1
       - run: regal lint --format github ${{ env.GKE_POLICY_DIRECTORY_V2 }}

.regal/config.yaml

@@ -18,15 +18,10 @@ rules:
       # not applicable to this project
       level: ignore
   style:
-    detached-metadata:
-      # style preference only
-      level: ignore
     line-length:
       level: ignore
     opa-fmt:
       level: ignore
-    prefer-some-in-iteration:
-      level: ignore
-  testing:
-    test-outside-test-package:
+  imports:
+    use-rego-v1:
       level: ignore

gke-policies-v2/policy/autopilot_cluster.rego

@@ -24,16 +24,18 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/choose-cluster-mode
 #   sccCategory: AUTOPILOT_DISABLED
 #   dataSource: gke
-
 package gke.policy.autopilot
 
+import future.keywords.if
+import future.keywords.contains
+
 default valid := false
 
-valid {
+valid if {
 	count(violation) == 0
 }
 
-violation[msg] {
+violation contains msg if {
 	not input.data.gke.autopilot.enabled
 	msg := "Cluster is not using Autopilot mode"
 }

gke-policies-v2/policy/autopilot_cluster_test.rego

@@ -12,12 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-package gke.policy.autopilot
+package gke.policy.autopilot_test
 
-test_autopilot_mode_enabled {
-	valid with input as {"data": {"gke": {"name": "test-cluster", "private_cluster_config": {"enable_private_nodes": true}, "autopilot": {"enabled": true}}}}
+import future.keywords.if
+import data.gke.policy.autopilot
+
+test_autopilot_mode_enabled if {
+	autopilot.valid with input as {"data": {"gke": {"name": "test-cluster", "private_cluster_config": {"enable_private_nodes": true}, "autopilot": {"enabled": true}}}}
 }
 
-test_autopilot_mode_disabled {
-	not valid with input as {"data": {"gke": {"name": "test-cluster", "private_cluster_config": {"enable_private_nodes": false}, "autopilot": {}}}}
+test_autopilot_mode_disabled if {
+	not autopilot.valid with input as {"data": {"gke": {"name": "test-cluster", "private_cluster_config": {"enable_private_nodes": false}, "autopilot": {}}}}
 }

gke-policies-v2/policy/cluster_binary_authorization.rego

@@ -28,16 +28,18 @@
 #     version: "1.4"
 #     id: "5.10.5"
 #   dataSource: gke
-
 package gke.policy.cluster_binary_authorization
 
+import future.keywords.if
+import future.keywords.contains
+
 default valid := false
 
-valid {
+valid if {
   count(violation) == 0
 }
 
-violation[msg] {
+violation contains msg if {
   not input.data.gke.binary_authorization.enabled
   msg := "Cluster is not configured with binary authorization"
 }

gke-policies-v2/policy/cluster_binary_authorization_test.rego

@@ -12,14 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-package gke.policy.cluster_binary_authorization
+package gke.policy.cluster_binary_authorization_test
 
-test_cluster_not_configured_binary_authorization {
-    not valid with input as {"Data": {"gke": {"name": "cluster-not-repairing", "release_channel": {}, "node_pools": [{"name": "default", "management": {"auto_repair": true, "auto_upgrade": true }}]}}}
+import future.keywords.if
+import data.gke.policy.cluster_binary_authorization
+
+test_cluster_not_configured_binary_authorization if {
+    not cluster_binary_authorization.valid with input as {"Data": {"gke": {"name": "cluster-not-repairing", "release_channel": {}, "node_pools": [{"name": "default", "management": {"auto_repair": true, "auto_upgrade": true }}]}}}
 }
 
-test_cluster_configured_binary_authorization {
-    valid with input as {"data": {"gke": {
+test_cluster_configured_binary_authorization if {
+    cluster_binary_authorization.valid with input as {"data": {"gke": {
         "name": "cluster-not-repairing", 
         "binary_authorization": {
             "enabled": true

gke-policies-v2/policy/cluster_enable_security_posture.rego

@@ -27,16 +27,18 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard
 #   sccCategory: SECURITY_POSTURE_DISABLED
 #   dataSource: gke
-
 package gke.policy.cluster_security_posture
 
+import future.keywords.if
+import future.keywords.contains
+
 default valid := false
 
-valid {
+valid if {
   count(violation) == 0
 }
 
-violation[msg] {
+violation contains msg if {
   not input.data.gke.security_posture_config.mode == 2
   msg := "Cluster is not configure with Security Posture"
 }

gke-policies-v2/policy/cluster_enable_security_posture_test.rego

@@ -12,10 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-package gke.policy.cluster_security_posture
+package gke.policy.cluster_security_posture_test
 
-test_cluster_enabled_security_posture {
-    valid with input as {"data": {"gke": {
+import future.keywords.if
+import data.gke.policy.cluster_security_posture
+
+test_cluster_enabled_security_posture if {
+    cluster_security_posture.valid with input as {"data": {"gke": {
         "name": "cluster-test", 
         "security_posture_config": {
            "mode": 2,
@@ -24,8 +27,8 @@ test_cluster_enabled_security_posture {
     }}}
 }
 
-test_cluster_unknown_security_posture {
-    not valid with input as {"data": {"gke": {
+test_cluster_unknown_security_posture if {
+    not cluster_security_posture.valid with input as {"data": {"gke": {
         "name": "cluster-test", 
         "security_posture_config": {
            "mode": 0,
@@ -34,8 +37,8 @@ test_cluster_unknown_security_posture {
     }}}
 }
 
-test_cluster_disabled_security_posture {
-    not valid with input as {"data": {"gke": {
+test_cluster_disabled_security_posture if {
+    not cluster_security_posture.valid with input as {"data": {"gke": {
         "name": "cluster-test", 
         "security_posture_config": {
            "mode": 1,
@@ -44,8 +47,8 @@ test_cluster_disabled_security_posture {
     }}}
 }
 
-test_cluster_missing_security_posture {
-    not valid with input as {"data": {"gke": {
+test_cluster_missing_security_posture if {
+    not cluster_security_posture.valid with input as {"data": {"gke": {
         "name": "cluster-test"
     }}}
 }

gke-policies-v2/policy/cluster_enable_workload_scanning.rego

@@ -29,16 +29,18 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/about-workload-vulnerability-scanning
 #   sccCategory: WORKLOAD_SCANNING_DISABLED
 #   dataSource: gke
-
 package gke.policy.cluster_workload_scanning
 
+import future.keywords.if
+import future.keywords.contains
+
 default valid := false
 
-valid {
+valid if {
   count(violation) == 0
 }
 
-violation[msg] {
+violation contains msg if {
   not input.data.gke.security_posture_config.vulnerability_mode == 2
   msg := "Cluster is not configured with workload vulnerability scanning"
 }

gke-policies-v2/policy/cluster_enable_workload_scanning_test.rego

@@ -12,10 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-package gke.policy.cluster_workload_scanning
+package gke.policy.cluster_workload_scanning_test
 
-test_cluster_enabled_workload_scanning {
-    valid with input as {"data": {"gke": {
+import future.keywords.if
+import data.gke.policy.cluster_workload_scanning
+
+test_cluster_enabled_workload_scanning if {
+    cluster_workload_scanning.valid with input as {"data": {"gke": {
         "name": "cluster-test", 
         "security_posture_config": {
            "mode": 2,
@@ -24,8 +27,8 @@ test_cluster_enabled_workload_scanning {
     }}}
 }
 
-test_cluster_disabled_workload_scanning {
-    not valid with input as {"data": {"gke": {
+test_cluster_disabled_workload_scanning if {
+    not cluster_workload_scanning.valid with input as {"data": {"gke": {
         "name": "cluster-test", 
         "security_posture_config": {
            "mode": 1,
@@ -34,8 +37,8 @@ test_cluster_disabled_workload_scanning {
     }}}
 }
 
-test_cluster_unknown_workload_scanning {
-    not valid with input as {"data": {"gke": {
+test_cluster_unknown_workload_scanning if {
+    not cluster_workload_scanning.valid with input as {"data": {"gke": {
         "name": "cluster-test", 
         "security_posture_config": {
            "mode": 1,
@@ -44,8 +47,8 @@ test_cluster_unknown_workload_scanning {
     }}}
 }
 
-test_cluster_missing_security_posture {
-    not valid with input as {"data": {"gke": {
+test_cluster_missing_security_posture if {
+    not cluster_workload_scanning.valid with input as {"data": {"gke": {
         "name": "cluster-test"
     }}}
 }

gke-policies-v2/policy/cluster_gce_csi_driver.rego

@@ -25,16 +25,18 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver
 #   sccCategory: GCE_CSI_DRIVER_DISABLED
 #   dataSource: gke
-
 package gke.policy.cluster_gce_csi_driver
 
+import future.keywords.if
+import future.keywords.contains
+
 default valid := false
 
-valid {
+valid if {
   count(violation) == 0
 }
 
-violation[msg] {
+violation contains msg if {
   not input.data.gke.addons_config.gce_persistent_disk_csi_driver_config.enabled
   msg := "Cluster is not configured with GCE persistent disk CSI driver"
 }

gke-policies-v2/policy/cluster_gce_csi_driver_test.rego

@@ -12,16 +12,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-package gke.policy.cluster_gce_csi_driver
+package gke.policy.cluster_gce_csi_driver_test
 
-test_gce_csi_driver_addon_empty {
-    not valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{}}}}}
+import future.keywords.if
+import data.gke.policy.cluster_gce_csi_driver
+
+test_gce_csi_driver_addon_empty if {
+    not cluster_gce_csi_driver.valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{}}}}}
 }
 
-test_gce_csi_driver_addon_disabled {
-    not valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{"enabled":false}}}}}
+test_gce_csi_driver_addon_disabled if {
+    not cluster_gce_csi_driver.valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{"enabled":false}}}}}
 }
 
-test_gce_csi_driver_addon_enabled {
-   valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{"enabled":true}}}}}
+test_gce_csi_driver_addon_enabled  if {
+   cluster_gce_csi_driver.valid with input as {"data": {"gke": {"name":"cluster-demo","addons_config":{"gce_persistent_disk_csi_driver_config":{"enabled":true}}}}}
 }

gke-policies-v2/policy/cluster_maintenance_window.rego

@@ -27,16 +27,18 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/maintenance-windows-and-exclusions
 #   sccCategory: MAINTENANCE_WINDOWS_DISABLED
 #   dataSource: gke
-
 package gke.policy.cluster_maintenance_window
 
+import future.keywords.if
+import future.keywords.contains
+
 default valid := false
 
-valid {
+valid if {
   count(violation) == 0
 }
 
-violation[msg] {
+violation contains msg if {
   not input.data.gke.maintenance_policy.window.Policy
   msg := "GKE cluster is not configured with maintenance window"
 }

gke-policies-v2/policy/cluster_maintenance_window_test.rego

@@ -12,14 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-package gke.policy.cluster_maintenance_window
+package gke.policy.cluster_maintenance_window_test
 
-test_cluster_not_configured_maintenance_window {
-    not valid with input as {"data": {"gke": {"name": "cluster-not-repairing", "release_channel": {}, "node_pools": [{"name": "default", "management": {"auto_repair": true, "auto_upgrade": true }}]}}}
+import future.keywords.if
+import data.gke.policy.cluster_maintenance_window
+
+test_cluster_not_configured_maintenance_window if {
+    not cluster_maintenance_window.valid with input as {"data": {"gke": {"name": "cluster-not-repairing", "release_channel": {}, "node_pools": [{"name": "default", "management": {"auto_repair": true, "auto_upgrade": true }}]}}}
 }
 
-test_cluster_configured_to_maintanace_window {
-    valid with input as {"data": {"gke": {
+test_cluster_configured_to_maintanace_window if {
+    cluster_maintenance_window.valid with input as {"data": {"gke": {
         "name": "cluster-not-repairing", 
         "maintenance_policy": {
             "window": {

gke-policies-v2/policy/cluster_receive_updates.rego

@@ -27,21 +27,23 @@
 #   externalURI: https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-notifications
 #   sccCategory: UPDATE_NOTIFICATIONS_DISABLED
 #   dataSource: gke
-
 package gke.policy.cluster_receive_updates
 
+import future.keywords.if
+import future.keywords.contains
+
 default valid := false
 
-valid {
+valid if {
   count(violation) == 0
 }
 
-violation[msg] {
+violation contains msg if {
   not input.data.gke.notification_config.pubsub.enabled
   msg := "Cluster is not configured with upgrade notifications"
 }
 
-violation[msg] {
+violation contains msg if {
   not input.data.gke.notification_config.pubsub.topic
-  msg := "Cluster is not configured with upgrade notofications topic"
+  msg := "Cluster is not configured with upgrade notifications topic"
 }