docs: adding JFrog OPA policy allowing evidence checking on images, policy …#721
docs: adding JFrog OPA policy allowing evidence checking on images, policy …#721carmithersh wants to merge 2 commits intoopen-policy-agent:masterfrom
Conversation
…is based on JFog OPA provider Signed-off-by: Carmit Hershman <carmith@jfrog.com>
|
@carmithersh you will need to generate artifact hub files - please run |
There was a problem hiding this comment.
Pull request overview
This PR adds a new Gatekeeper policy for validating container images against JFrog Artifactory evidence. The policy integrates with the JFrog OPA provider to verify that pod images comply with organizational regulations by checking stored evidence.
Changes:
- Added new JFrog evidence checking policy with Rego implementation and constraint templates
- Created sample constraint and example YAML files for allowed/disallowed scenarios
- Added test suite configuration for the new policy
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 24 comments.
Show a summary per file
| File | Description |
|---|---|
| src/general/jfrog-evidence/src.rego | Main Rego policy implementation for evidence checking |
| src/general/jfrog-evidence/constraint.tmpl | Constraint template definition for Gatekeeper |
| library/general/jfrog-evidence/template.yaml | Generated constraint template with embedded policy |
| library/general/jfrog-evidence/suite.yaml | Test suite configuration |
| library/general/jfrog-evidence/samples/jfrogcheckevidence/constraint.yaml | Sample constraint configuration |
| library/general/jfrog-evidence/samples/jfrogcheckevidence/example_allowed.yaml | Example of allowed pod configuration |
| library/general/jfrog-evidence/samples/jfrogcheckevidence/example_disallowed.yaml | Example of disallowed pod configuration |
| library/general/jfrog-evidence/kustomization.yaml | Kustomize configuration for the policy |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Carmit Hershman <carmith@jfrog.com>
|
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
…is based on JFog OPA provider
This PR adds a policy allowing users to verify that all images used within a pod comply with the company's regulations requirements.
All images' evidence that were stored in JFrog Artifactory are retrieved and verified according to the user's policy.
This policy requires the user to have JFrog artifactory, JFrog OPA provider installed (see under https://github.com/jfrog/jfrog-opa-policy)
Special notes for your reviewer:
Since external_data is in the heart of this policy, we are unable to add src_test.rego, additionally, as the policy is communicating with an installed provider and through it with a JFrog Artifactory platform, samples cannot be used without personalization of the image registry and location for allowing the test to run on the user's platform