{"id":813,"date":"2026-03-25T09:55:05","date_gmt":"2026-03-25T08:55:05","guid":{"rendered":"https:\/\/secure-pipelines.com\/uncategorized\/lab-enforcing-kubernetes-policies-opa-conftest-ci-cd\/"},"modified":"2026-03-25T09:55:05","modified_gmt":"2026-03-25T08:55:05","slug":"lab-enforcing-kubernetes-policies-opa-conftest-ci-cd","status":"publish","type":"post","link":"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-enforcing-kubernetes-policies-opa-conftest-ci-cd\/","title":{"rendered":"\u0645\u062e\u062a\u0628\u0631 \u0639\u0645\u0644\u064a: \u0641\u0631\u0636 \u0633\u064a\u0627\u0633\u0627\u062a \u0646\u0634\u0631 Kubernetes \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 OPA Conftest \u0641\u064a CI\/CD"},"content":{"rendered":"<h2>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h2>\n<p>\u062a\u064f\u0639\u062f\u0651 \u0645\u0644\u0641\u0627\u062a Kubernetes \u0627\u0644\u0645\u064f\u0647\u064a\u064e\u0651\u0623\u0629 \u0628\u0634\u0643\u0644 \u062e\u0627\u0637\u0626 \u0645\u0646 \u0623\u0628\u0631\u0632 \u0623\u0633\u0628\u0627\u0628 \u0627\u0644\u062d\u0648\u0627\u062f\u062b \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0641\u062d\u0627\u0648\u064a\u0629 \u062a\u0639\u0645\u0644 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a root\u060c \u0623\u0648 \u0648\u0633\u0645 \u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0645\u064f\u062b\u0628\u064e\u0651\u062a\u060c \u0623\u0648 \u062d\u062f\u0651 \u0645\u0648\u0627\u0631\u062f \u0645\u0641\u0642\u0648\u062f\u060c \u0623\u0648 \u0634\u0628\u0643\u0629 \u0645\u0636\u064a\u0641 \u0645\u0643\u0634\u0648\u0641\u0629 \u2014 \u0643\u0644\u0651 \u0648\u0627\u062d\u062f\u0629 \u0645\u0646 \u0647\u0630\u0647 \u0642\u062f \u062a\u0641\u062a\u062d \u0627\u0644\u0628\u0627\u0628 \u0623\u0645\u0627\u0645 \u062a\u0635\u0639\u064a\u062f \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0623\u0648 \u0627\u0633\u062a\u0646\u0632\u0627\u0641 \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0623\u0648 \u0627\u0644\u062d\u0631\u0643\u0629 \u0627\u0644\u062c\u0627\u0646\u0628\u064a\u0629 \u062f\u0627\u062e\u0644 \u0639\u0646\u0642\u0648\u062f\u0643.<\/p>\n<p>\u0627\u0644\u0645\u0634\u0643\u0644\u0629 \u0623\u0646\u0651 \u0647\u0630\u0647 \u0627\u0644\u0623\u062e\u0637\u0627\u0621 \u062a\u0628\u0642\u0649 \u063a\u064a\u0631 \u0645\u0631\u0626\u064a\u0629 \u062d\u062a\u0649 \u0648\u0642\u062a \u0627\u0644\u0646\u0634\u0631 \u2014 \u0623\u0648 \u0627\u0644\u0623\u0633\u0648\u0623\u060c \u062d\u062a\u0649 \u064a\u0633\u062a\u063a\u0644\u0651\u0647\u0627 \u0645\u0647\u0627\u062c\u0645. \u0627\u0644\u062d\u0644\u0651 \u0647\u0648 \u0646\u0642\u0644 \u0627\u0644\u0623\u0645\u0627\u0646 \u0625\u0644\u0649 \u0627\u0644\u064a\u0633\u0627\u0631 \u0648\u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0646\u062a\u0647\u0627\u0643\u0627\u062a \u0627\u0644\u0633\u064a\u0627\u0633\u0629 <strong>\u0642\u0628\u0644<\/strong> \u0623\u0646 \u062a\u0635\u0644 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0625\u0644\u0649 \u0627\u0644\u0639\u0646\u0642\u0648\u062f.<\/p>\n<p>\u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u060c \u0633\u062a\u0633\u062a\u062e\u062f\u0645 <strong>Conftest<\/strong> \u2014 \u0625\u0637\u0627\u0631 \u0627\u062e\u062a\u0628\u0627\u0631 \u0645\u0628\u0646\u064a \u0639\u0644\u0649 \u0645\u062d\u0631\u0651\u0643 Open Policy Agent (OPA) \u2014 \u0644\u0643\u062a\u0627\u0628\u0629 \u0633\u064a\u0627\u0633\u0627\u062a Rego \u062a\u062a\u062d\u0642\u0651\u0642 \u0645\u0646 \u0635\u062d\u0629 \u0645\u0644\u0641\u0627\u062a Kubernetes. \u062b\u0645 \u0633\u062a\u062f\u0645\u062c \u062a\u0644\u0643 \u0627\u0644\u0641\u062d\u0648\u0635\u0627\u062a \u0641\u064a GitHub Actions \u0648GitLab CI \u0628\u062d\u064a\u062b \u064a\u062a\u0645 \u0641\u062d\u0635 \u0643\u0644\u0651 \u0637\u0644\u0628 \u062f\u0645\u062c \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0628\u062d\u062b\u064b\u0627 \u0639\u0646 \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0643\u0627\u062a.<\/p>\n<p>\u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0633\u062a\u0643\u0648\u0646 \u0642\u062f \u062d\u0635\u0644\u062a \u0639\u0644\u0649:<\/p>\n<ul>\n<li>\u0645\u0643\u062a\u0628\u0629 \u0645\u0646 \u0633\u064a\u0627\u0633\u0627\u062a Rego \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0625\u0639\u0627\u062f\u0629 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u063a\u0637\u0651\u064a \u0648\u0633\u0648\u0645 \u0627\u0644\u0635\u0648\u0631 \u0648\u0633\u064a\u0627\u0642\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0648\u062d\u062f\u0648\u062f \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0648\u0627\u0644\u0648\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0636\u064a\u0641.<\/li>\n<li>\u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0648\u062d\u062f\u0629 \u0644\u062a\u0644\u0643 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <code>opa test<\/code>.<\/li>\n<li>\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0639\u0627\u0645\u0644\u0629 \u062a\u062d\u0638\u0631 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646\u0629 \u0648\u062a\u0648\u0641\u0651\u0631 \u0631\u0633\u0627\u0626\u0644 \u0627\u0646\u062a\u0647\u0627\u0643 \u0648\u0627\u0636\u062d\u0629 \u0648\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0646\u0641\u064a\u0630.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h2>\n<p>\u0642\u0628\u0644 \u0627\u0644\u0628\u062f\u0621\u060c \u062a\u0623\u0643\u0651\u062f \u0645\u0646 \u062a\u0648\u0641\u0651\u0631 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0648\u0627\u0644\u0645\u0639\u0631\u0641\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629:<\/p>\n<ul>\n<li><strong>\u062a\u062b\u0628\u064a\u062a Conftest CLI<\/strong> \u2014 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0639\u0628\u0631 Homebrew:\n<pre><code>brew install conftest<\/code><\/pre>\n<p>\u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u062d\u0645\u0651\u0644 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062a\u0646\u0641\u064a\u0630\u064a \u0645\u0646 <a href=\"https:\/\/github.com\/open-policy-agent\/conftest\/releases\" target=\"_blank\" rel=\"noopener\">\u0635\u0641\u062d\u0629 \u0625\u0635\u062f\u0627\u0631\u0627\u062a Conftest<\/a>.<\/li>\n<li><strong>kubectl \u0648\u0639\u0646\u0642\u0648\u062f \u0627\u062e\u062a\u0628\u0627\u0631 (\u0627\u062e\u062a\u064a\u0627\u0631\u064a)<\/strong> \u2014 \u0625\u0630\u0627 \u0623\u0631\u062f\u062a \u0627\u0644\u062a\u062d\u0642\u0651\u0642 \u0645\u0646 \u0623\u0646\u0651 \u0645\u0644\u0641\u0627\u062a\u0643 \u0627\u0644\u0645\u064f\u0635\u0644\u064e\u062d\u0629 \u062a\u064f\u0646\u0634\u0631 \u0641\u0639\u0644\u0627\u064b\u060c \u0623\u0646\u0634\u0626 \u0639\u0646\u0642\u0648\u062f\u064b\u0627 \u0645\u062d\u0644\u064a\u064b\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <code>minikube start<\/code> \u0623\u0648 <code>kind create cluster<\/code>.<\/li>\n<li><strong>\u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631<\/strong> \u2014 \u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u0648\u062f\u0639 Git \u062c\u062f\u064a\u062f\u064b\u0627 \u0623\u0648 \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u0633\u062a\u0648\u062f\u0639\u064b\u0627 \u0645\u0648\u062c\u0648\u062f\u064b\u0627. \u0633\u0646\u0628\u0646\u064a \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0645\u0646 \u0627\u0644\u0635\u0641\u0631.<\/li>\n<li><strong>\u0645\u0639\u0631\u0641\u0629 \u0623\u0633\u0627\u0633\u064a\u0629 \u0628\u0640 YAML \u0648Kubernetes<\/strong> \u2014 \u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0645\u0631\u062a\u0627\u062d\u064b\u0627 \u0641\u064a \u0642\u0631\u0627\u0621\u0629 \u0645\u0644\u0641\u0627\u062a Deployment \u0648Service \u0648Pod.<\/li>\n<\/ul>\n<h2>\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629<\/h2>\n<p>\u0627\u0628\u062f\u0623 \u0628\u0625\u0646\u0634\u0627\u0621 \u0647\u064a\u0643\u0644 \u0627\u0644\u0645\u0634\u0631\u0648\u0639 \u0648\u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u0646 \u0645\u0644\u0641\u0627\u062a Kubernetes \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646\u0629 \u0639\u0645\u062f\u064b\u0627. \u0633\u062a\u0643\u0648\u0646 \u0647\u0630\u0647 \u0628\u0645\u062b\u0627\u0628\u0629 \u0645\u0644\u0641\u0627\u062a \u0627\u062e\u062a\u0628\u0627\u0631 \u062b\u0627\u0628\u062a\u0629 \u0637\u0648\u0627\u0644 \u0643\u0644\u0651 \u062a\u0645\u0631\u064a\u0646.<\/p>\n<h3>\u0647\u064a\u0643\u0644 \u0627\u0644\u0645\u0634\u0631\u0648\u0639<\/h3>\n<pre><code>conftest-k8s-lab\/\n\u251c\u2500\u2500 k8s\/\n\u2502   \u251c\u2500\u2500 deployment-latest-tag.yaml\n\u2502   \u251c\u2500\u2500 deployment-run-as-root.yaml\n\u2502   \u251c\u2500\u2500 deployment-no-limits.yaml\n\u2502   \u251c\u2500\u2500 service-loadbalancer.yaml\n\u2502   \u2514\u2500\u2500 pod-host-network.yaml\n\u2514\u2500\u2500 policy\/<\/code><\/pre>\n<p>\u0623\u0646\u0634\u0626 \u0627\u0644\u0645\u062c\u0644\u062f\u0627\u062a:<\/p>\n<pre><code>mkdir -p conftest-k8s-lab\/k8s conftest-k8s-lab\/policy\ncd conftest-k8s-lab<\/code><\/pre>\n<h3>\u0627\u0644\u0645\u0644\u0641 1 \u2014 Deployment \u0628\u0648\u0633\u0645 \u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0645\u064f\u062b\u0628\u064e\u0651\u062a<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>k8s\/deployment-latest-tag.yaml<\/code>:<\/p>\n<pre><code>apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: web-latest\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: web-latest\n  template:\n    metadata:\n      labels:\n        app: web-latest\n    spec:\n      containers:\n        - name: nginx\n          image: nginx:latest\n          ports:\n            - containerPort: 80<\/code><\/pre>\n<p>\u064a\u0633\u062a\u062e\u062f\u0645 \u0647\u0630\u0627 \u0627\u0644\u0645\u0644\u0641 <code>nginx:latest<\/code>\u060c \u0645\u0645\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0651 \u0643\u0644\u0651 \u0639\u0645\u0644\u064a\u0629 \u0633\u062d\u0628 \u0642\u062f \u062a\u064f\u062f\u062e\u0644 \u0645\u0644\u0641\u064b\u0627 \u062a\u0646\u0641\u064a\u0630\u064a\u064b\u0627 \u0645\u062e\u062a\u0644\u0641\u064b\u0627 \u0628\u0635\u0645\u062a \u0625\u0644\u0649 \u0639\u0646\u0642\u0648\u062f\u0643.<\/p>\n<h3>\u0627\u0644\u0645\u0644\u0641 2 \u2014 Deployment \u064a\u0639\u0645\u0644 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a Root<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>k8s\/deployment-run-as-root.yaml<\/code>:<\/p>\n<pre><code>apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: web-root\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: web-root\n  template:\n    metadata:\n      labels:\n        app: web-root\n    spec:\n      containers:\n        - name: nginx\n          image: nginx:1.25.4\n          ports:\n            - containerPort: 80<\/code><\/pre>\n<p>\u0644\u0645 \u064a\u062a\u0645 \u062a\u0639\u064a\u064a\u0646 <code>securityContext<\/code>\u060c \u0644\u0630\u0627 \u062a\u0639\u0645\u0644 \u0627\u0644\u062d\u0627\u0648\u064a\u0629 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u064b\u0627 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a root \u2014 \u0648\u0647\u0648 \u0645\u0633\u0627\u0631 \u0645\u0639\u0631\u0648\u0641 \u0644\u062a\u0635\u0639\u064a\u062f \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a.<\/p>\n<h3>\u0627\u0644\u0645\u0644\u0641 3 \u2014 Deployment \u0628\u062f\u0648\u0646 \u062d\u062f\u0648\u062f \u0645\u0648\u0627\u0631\u062f<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>k8s\/deployment-no-limits.yaml<\/code>:<\/p>\n<pre><code>apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: web-no-limits\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: web-no-limits\n  template:\n    metadata:\n      labels:\n        app: web-no-limits\n    spec:\n      containers:\n        - name: nginx\n          image: nginx:1.25.4\n          ports:\n            - containerPort: 80<\/code><\/pre>\n<p>\u0628\u062f\u0648\u0646 \u062d\u062f\u0648\u062f CPU \u0648\u0627\u0644\u0630\u0627\u0643\u0631\u0629\u060c \u064a\u0645\u0643\u0646 \u0644\u062d\u0627\u0648\u064a\u0629 \u0648\u0627\u062d\u062f\u0629 \u0633\u064a\u0651\u0626\u0629 \u0627\u0644\u0633\u0644\u0648\u0643 \u0623\u0646 \u062a\u064f\u062c\u0648\u0650\u0651\u0639 \u0627\u0644\u0639\u0642\u062f\u0629 \u0628\u0623\u0643\u0645\u0644\u0647\u0627.<\/p>\n<h3>\u0627\u0644\u0645\u0644\u0641 4 \u2014 Service \u0645\u0646 \u0646\u0648\u0639 LoadBalancer<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>k8s\/service-loadbalancer.yaml<\/code>:<\/p>\n<pre><code>apiVersion: v1\nkind: Service\nmetadata:\n  name: web-lb\nspec:\n  type: LoadBalancer\n  selector:\n    app: web\n  ports:\n    - port: 80\n      targetPort: 80<\/code><\/pre>\n<p>\u062e\u062f\u0645\u0629 LoadBalancer \u0628\u062f\u0648\u0646 \u062a\u0639\u0644\u064a\u0642\u0627\u062a \u062a\u0648\u0636\u064a\u062d\u064a\u0629 \u0642\u062f \u062a\u0643\u0634\u0641 \u0623\u0639\u0628\u0627\u0621 \u0627\u0644\u0639\u0645\u0644 \u0644\u0644\u0625\u0646\u062a\u0631\u0646\u062a \u0627\u0644\u0639\u0627\u0645 \u0641\u064a \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0633\u062d\u0627\u0628\u064a\u0629.<\/p>\n<h3>\u0627\u0644\u0645\u0644\u0641 5 \u2014 Pod \u0645\u0639 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0634\u0628\u0643\u0629 \u0627\u0644\u0645\u0636\u064a\u0641<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>k8s\/pod-host-network.yaml<\/code>:<\/p>\n<pre><code>apiVersion: v1\nkind: Pod\nmetadata:\n  name: debug-pod\nspec:\n  hostNetwork: true\n  containers:\n    - name: debug\n      image: busybox:1.36\n      command: [\"sleep\", \"3600\"]<\/code><\/pre>\n<p><code>hostNetwork: true<\/code> \u064a\u0645\u0646\u062d \u0627\u0644\u062d\u0627\u0648\u064a\u0629 \u0648\u0635\u0648\u0644\u0627\u064b \u0643\u0627\u0645\u0644\u0627\u064b \u0625\u0644\u0649 \u0645\u0643\u062f\u0651\u0633 \u0634\u0628\u0643\u0629 \u0627\u0644\u0639\u0642\u062f\u0629\u060c \u0645\u062a\u062c\u0627\u0648\u0632\u064b\u0627 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0628\u0627\u0644\u0643\u0627\u0645\u0644.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u0643\u062a\u0627\u0628\u0629 \u0623\u0648\u0644 \u0633\u064a\u0627\u0633\u0629 Rego \u2014 \u0645\u0646\u0639 \u0648\u0633\u0648\u0645 Latest<\/h2>\n<p>\u0633\u062a\u0645\u0646\u0639 \u0633\u064a\u0627\u0633\u062a\u0643 \u0627\u0644\u0623\u0648\u0644\u0649 \u0623\u064a \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u062a\u0633\u062a\u062e\u062f\u0645 \u0648\u0633\u0645 <code>:latest<\/code> \u0623\u0648 \u062a\u062d\u0630\u0641 \u0627\u0644\u0648\u0633\u0645 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 (\u0648\u0627\u0644\u0630\u064a \u064a\u064f\u062d\u0644\u0651 \u0623\u064a\u0636\u064b\u0627 \u0625\u0644\u0649 <code>latest<\/code>).<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0633\u064a\u0627\u0633\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>policy\/tags.rego<\/code>:<\/p>\n<pre><code>package main\n\nimport future.keywords.in\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  image := container.image\n  not contains(image, \":\")\n  msg := sprintf(\"Container '%s' uses image '%s' without a tag. Pin to a specific version.\", [container.name, image])\n}\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  image := container.image\n  endswith(image, \":latest\")\n  msg := sprintf(\"Container '%s' uses the ':latest' tag in image '%s'. Pin to a specific version.\", [container.name, image])\n}<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u062a\u0634\u063a\u064a\u0644 Conftest \u0639\u0644\u0649 \u0627\u0644\u0645\u0644\u0641 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646<\/h3>\n<pre><code>conftest test k8s\/deployment-latest-tag.yaml<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>FAIL - k8s\/deployment-latest-tag.yaml - main - Container 'nginx' uses the ':latest' tag in image 'nginx:latest'. Pin to a specific version.\n\n1 test, 0 passed, 0 warnings, 1 failure<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0625\u0635\u0644\u0627\u062d \u0627\u0644\u0645\u0644\u0641<\/h3>\n<p>\u0639\u062f\u0651\u0644 <code>k8s\/deployment-latest-tag.yaml<\/code> \u0648\u063a\u064a\u0651\u0631 \u0633\u0637\u0631 \u0627\u0644\u0635\u0648\u0631\u0629:<\/p>\n<pre><code>          image: nginx:1.25.4<\/code><\/pre>\n<p>\u0634\u063a\u0651\u0644 Conftest \u0645\u062c\u062f\u062f\u064b\u0627:<\/p>\n<pre><code>conftest test k8s\/deployment-latest-tag.yaml<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>1 test, 1 passed, 0 warnings, 0 failures<\/code><\/pre>\n<h3>\u0641\u0647\u0645 \u0628\u0646\u064a\u0629 Rego<\/h3>\n<p>\u0643\u0644\u0651 \u0645\u0644\u0641 \u0633\u064a\u0627\u0633\u0629 Rego \u064a\u0633\u062a\u062e\u062f\u0645\u0647 Conftest \u064a\u062a\u0628\u0639 \u0646\u0645\u0637\u064b\u0627 \u0628\u0633\u064a\u0637\u064b\u0627:<\/p>\n<ul>\n<li><strong><code>package main<\/code><\/strong> \u2014 \u064a\u0628\u062d\u062b Conftest \u0639\u0646 \u062d\u0632\u0645\u0629 <code>main<\/code> \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u064b\u0627. \u064a\u0645\u0643\u0646\u0643 \u062a\u062c\u0627\u0648\u0632 \u0630\u0644\u0643 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <code>--namespace<\/code>.<\/li>\n<li><strong><code>deny[msg]<\/code><\/strong> \u2014 \u0645\u062c\u0645\u0648\u0639\u0629 \u0642\u0648\u0627\u0639\u062f. \u0625\u0630\u0627 \u062a\u062d\u0642\u0651\u0642\u062a <em>\u062c\u0645\u064a\u0639<\/em> \u0627\u0644\u0634\u0631\u0648\u0637 \u062f\u0627\u062e\u0644 \u062c\u0633\u0645 \u0627\u0644\u0642\u0627\u0639\u062f\u0629\u060c \u062a\u064f\u0637\u0644\u064e\u0642 \u0627\u0644\u0642\u0627\u0639\u062f\u0629 \u0648\u062a\u064f\u0636\u064a\u0641 <code>msg<\/code> \u0625\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u0629 \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0643\u0627\u062a.<\/li>\n<li><strong><code>input<\/code><\/strong> \u2014 \u064a\u0645\u062b\u0651\u0644 \u0645\u0633\u062a\u0646\u062f YAML \u0627\u0644\u0630\u064a \u064a\u062a\u0645 \u0627\u062e\u062a\u0628\u0627\u0631\u0647. \u064a\u062d\u0644\u0651\u0644\u0647 Conftest \u0625\u0644\u0649 \u0643\u0627\u0626\u0646 JSON \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627.<\/li>\n<li><strong><code>sprintf<\/code><\/strong> \u2014 \u064a\u064f\u0646\u0633\u0651\u0642 \u0631\u0633\u0627\u0644\u0629 \u062e\u0637\u0623 \u0645\u0642\u0631\u0648\u0621\u0629 \u062a\u0638\u0647\u0631 \u0641\u064a \u0633\u062c\u0644\u0627\u062a CI.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u0645\u0646\u0639 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0645\u0646 \u0627\u0644\u0639\u0645\u0644 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a Root<\/h2>\n<p>\u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0639\u0645\u0644 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a root \u064a\u0645\u0643\u0646\u0647\u0627 \u062a\u0639\u062f\u064a\u0644 \u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0648\u062a\u062b\u0628\u064a\u062a \u0627\u0644\u062d\u0632\u0645\u060c \u0648\u0625\u0630\u0627 \u0627\u0642\u062a\u0631\u0646\u062a \u0628\u062b\u063a\u0631\u0629 \u0641\u064a \u0627\u0644\u0646\u0648\u0627\u0629\u060c \u064a\u0645\u0643\u0646\u0647\u0627 \u0627\u0644\u0647\u0631\u0648\u0628 \u0625\u0644\u0649 \u0627\u0644\u0645\u0636\u064a\u0641. \u062a\u0641\u0631\u0636 \u0647\u0630\u0647 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0636\u0627\u0628\u0637\u064a\u0646: <code>runAsNonRoot: true<\/code> \u0648<code>allowPrivilegeEscalation: false<\/code>.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0633\u064a\u0627\u0633\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>policy\/security_context.rego<\/code>:<\/p>\n<pre><code>package main\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  not container.securityContext.runAsNonRoot == true\n  msg := sprintf(\"Container '%s' must set securityContext.runAsNonRoot to true.\", [container.name])\n}\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  not container.securityContext.allowPrivilegeEscalation == false\n  msg := sprintf(\"Container '%s' must set securityContext.allowPrivilegeEscalation to false.\", [container.name])\n}<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0639\u0644\u0649 \u0627\u0644\u0645\u0644\u0641 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646<\/h3>\n<pre><code>conftest test k8s\/deployment-run-as-root.yaml<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>FAIL - k8s\/deployment-run-as-root.yaml - main - Container 'nginx' must set securityContext.runAsNonRoot to true.\nFAIL - k8s\/deployment-run-as-root.yaml - main - Container 'nginx' must set securityContext.allowPrivilegeEscalation to false.\n\n1 test, 0 passed, 0 warnings, 2 failures<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0625\u0635\u0644\u0627\u062d \u0627\u0644\u0645\u0644\u0641<\/h3>\n<p>\u062d\u062f\u0651\u062b <code>k8s\/deployment-run-as-root.yaml<\/code> \u0644\u064a\u062a\u0636\u0645\u0651\u0646 \u0633\u064a\u0627\u0642 \u0623\u0645\u0627\u0646 \u0644\u0643\u0644\u0651 \u062d\u0627\u0648\u064a\u0629:<\/p>\n<pre><code>apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: web-root\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: web-root\n  template:\n    metadata:\n      labels:\n        app: web-root\n    spec:\n      containers:\n        - name: nginx\n          image: nginx:1.25.4\n          ports:\n            - containerPort: 80\n          securityContext:\n            runAsNonRoot: true\n            allowPrivilegeEscalation: false<\/code><\/pre>\n<p>\u0634\u063a\u0651\u0644 Conftest \u0645\u062c\u062f\u062f\u064b\u0627 \u2014 \u062a\u0645\u0631\u0651 \u0643\u0644\u062a\u0627 \u0627\u0644\u0642\u0627\u0639\u062f\u062a\u064a\u0646 \u0627\u0644\u0622\u0646 \u0628\u0646\u062c\u0627\u062d.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u0641\u0631\u0636 \u062d\u062f\u0648\u062f \u0627\u0644\u0645\u0648\u0627\u0631\u062f<\/h2>\n<p>\u0628\u062f\u0648\u0646 \u062d\u062f\u0648\u062f \u0627\u0644\u0645\u0648\u0627\u0631\u062f\u060c \u064a\u0645\u0643\u0646 \u0644\u062d\u0627\u0648\u064a\u0629 \u0648\u0627\u062d\u062f\u0629 \u0623\u0646 \u062a\u0633\u062a\u0647\u0644\u0643 \u0643\u0644\u0651 \u0648\u062d\u062f\u0629 \u0627\u0644\u0645\u0639\u0627\u0644\u062c\u0629 \u0627\u0644\u0645\u0631\u0643\u0632\u064a\u0629 \u0648\u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u0639\u0644\u0649 \u0627\u0644\u0639\u0642\u062f\u0629\u060c \u0645\u0645\u0627 \u064a\u062a\u0633\u0628\u0651\u0628 \u0641\u064a \u0625\u062e\u0641\u0627\u0642\u0627\u062a \u0645\u062a\u062a\u0627\u0644\u064a\u0629 \u0639\u0628\u0631 \u0623\u0639\u0628\u0627\u0621 \u0639\u0645\u0644 \u063a\u064a\u0631 \u0645\u0631\u062a\u0628\u0637\u0629. \u062a\u062a\u0637\u0644\u0628 \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0623\u0637\u0631 \u0627\u0644\u0627\u0645\u062a\u062b\u0627\u0644 (SOC 2\u060c CIS Benchmarks) \u062d\u062f\u0648\u062f\u064b\u0627 \u0635\u0631\u064a\u062d\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0633\u064a\u0627\u0633\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>policy\/resources.rego<\/code>:<\/p>\n<pre><code>package main\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  not container.resources.limits.cpu\n  msg := sprintf(\"Container '%s' must define resources.limits.cpu.\", [container.name])\n}\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  not container.resources.limits.memory\n  msg := sprintf(\"Container '%s' must define resources.limits.memory.\", [container.name])\n}<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0639\u0644\u0649 \u0627\u0644\u0645\u0644\u0641 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646<\/h3>\n<pre><code>conftest test k8s\/deployment-no-limits.yaml<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>FAIL - k8s\/deployment-no-limits.yaml - main - Container 'nginx' must define resources.limits.cpu.\nFAIL - k8s\/deployment-no-limits.yaml - main - Container 'nginx' must define resources.limits.memory.\n\n1 test, 0 passed, 0 warnings, 2 failures<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0625\u0635\u0644\u0627\u062d \u0627\u0644\u0645\u0644\u0641<\/h3>\n<p>\u0623\u0636\u0641 \u062d\u062f\u0648\u062f \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0625\u0644\u0649 <code>k8s\/deployment-no-limits.yaml<\/code>:<\/p>\n<pre><code>apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: web-no-limits\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: web-no-limits\n  template:\n    metadata:\n      labels:\n        app: web-no-limits\n    spec:\n      containers:\n        - name: nginx\n          image: nginx:1.25.4\n          ports:\n            - containerPort: 80\n          resources:\n            requests:\n              cpu: \"100m\"\n              memory: \"128Mi\"\n            limits:\n              cpu: \"250m\"\n              memory: \"256Mi\"<\/code><\/pre>\n<p>\u0634\u063a\u0651\u0644 Conftest \u0645\u062c\u062f\u062f\u064b\u0627 \u2014 \u062a\u0645\u0631\u0651 \u0641\u062d\u0648\u0635\u0627\u062a CPU \u0648\u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u0628\u0646\u062c\u0627\u062d.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0645\u0646\u0639 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0645\u0645\u064a\u0651\u0632 \u0644\u0644\u0645\u0636\u064a\u0641<\/h2>\n<p>\u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0637\u0644\u0628 \u0648\u0635\u0648\u0644\u0627\u064b \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0636\u064a\u0641 \u2014 <code>hostNetwork<\/code> \u0623\u0648 <code>hostPID<\/code> \u0623\u0648 <code>hostIPC<\/code> \u0623\u0648 \u0633\u064a\u0627\u0642 \u0623\u0645\u0627\u0646 \u0645\u0645\u064a\u0651\u0632 \u2014 \u062a\u0639\u0645\u0644 \u0641\u0639\u0644\u064a\u064b\u0627 \u062e\u0627\u0631\u062c \u0635\u0646\u062f\u0648\u0642 \u0627\u0644\u062d\u0645\u0627\u064a\u0629. \u064a\u0645\u0643\u0646 \u0644\u062d\u0627\u0648\u064a\u0629 \u0645\u062e\u062a\u0631\u0642\u0629 \u0628\u0623\u064a\u0651 \u0645\u0646 \u0647\u0630\u0647 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0631\u0624\u064a\u0629 \u0643\u0644\u0651 \u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0639\u0644\u0649 \u0627\u0644\u0639\u0642\u062f\u0629\u060c \u0623\u0648 \u0627\u0644\u0627\u0631\u062a\u0628\u0627\u0637 \u0628\u0639\u0645\u0644\u064a\u0627\u062a \u0623\u062e\u0631\u0649\u060c \u0623\u0648 \u0627\u0644\u0647\u0631\u0648\u0628 \u0625\u0644\u0649 \u0627\u0644\u0645\u0636\u064a\u0641 \u0628\u0627\u0644\u0643\u0627\u0645\u0644.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0633\u064a\u0627\u0633\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>policy\/host_access.rego<\/code>:<\/p>\n<pre><code>package main\n\ndeny[msg] {\n  input.kind == \"Pod\"\n  input.spec.hostNetwork == true\n  msg := sprintf(\"Pod '%s' must not use hostNetwork: true.\", [input.metadata.name])\n}\n\ndeny[msg] {\n  input.kind == \"Pod\"\n  input.spec.hostPID == true\n  msg := sprintf(\"Pod '%s' must not use hostPID: true.\", [input.metadata.name])\n}\n\ndeny[msg] {\n  input.kind == \"Pod\"\n  input.spec.hostIPC == true\n  msg := sprintf(\"Pod '%s' must not use hostIPC: true.\", [input.metadata.name])\n}\n\ndeny[msg] {\n  input.kind == \"Pod\"\n  container := input.spec.containers[_]\n  container.securityContext.privileged == true\n  msg := sprintf(\"Container '%s' in Pod '%s' must not run in privileged mode.\", [container.name, input.metadata.name])\n}\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  input.spec.template.spec.hostNetwork == true\n  msg := sprintf(\"Deployment '%s' must not use hostNetwork: true.\", [input.metadata.name])\n}\n\ndeny[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  container.securityContext.privileged == true\n  msg := sprintf(\"Container '%s' in Deployment '%s' must not run in privileged mode.\", [container.name, input.metadata.name])\n}<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0639\u0644\u0649 \u0627\u0644\u062d\u0627\u0648\u064a\u0629 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646\u0629<\/h3>\n<pre><code>conftest test k8s\/pod-host-network.yaml<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>FAIL - k8s\/pod-host-network.yaml - main - Pod 'debug-pod' must not use hostNetwork: true.\n\n1 test, 0 passed, 0 warnings, 1 failure<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0625\u0635\u0644\u0627\u062d \u0627\u0644\u0645\u0644\u0641<\/h3>\n<p>\u0627\u062d\u0630\u0641 \u0633\u0637\u0631 <code>hostNetwork: true<\/code> \u0645\u0646 <code>k8s\/pod-host-network.yaml<\/code>:<\/p>\n<pre><code>apiVersion: v1\nkind: Pod\nmetadata:\n  name: debug-pod\nspec:\n  containers:\n    - name: debug\n      image: busybox:1.36\n      command: [\"sleep\", \"3600\"]<\/code><\/pre>\n<p>\u0634\u063a\u0651\u0644 Conftest \u2014 \u062a\u0645\u0631\u0651 \u0627\u0644\u062d\u0627\u0648\u064a\u0629 \u0627\u0644\u0622\u0646 \u0628\u062c\u0645\u064a\u0639 \u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0644\u0645\u0636\u064a\u0641.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <code>opa test<\/code><\/h2>\n<p>\u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0647\u064a \u0634\u064a\u0641\u0631\u0629 \u0628\u0631\u0645\u062c\u064a\u0629\u060c \u0648\u0627\u0644\u0634\u064a\u0641\u0631\u0629 \u062a\u062d\u062a\u0627\u062c \u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a. \u0628\u062f\u0648\u0646 \u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0644\u0627 \u064a\u0645\u0643\u0646\u0643 \u0627\u0644\u062a\u0623\u0643\u0651\u062f \u0645\u0646 \u0623\u0646\u0651 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u062a\u0644\u062a\u0642\u0637 \u0645\u0627 \u064a\u062c\u0628 \u0623\u0648 \u0623\u0646\u0651 \u0625\u0639\u0627\u062f\u0629 \u0647\u064a\u0643\u0644\u0629 \u0645\u0633\u062a\u0642\u0628\u0644\u064a\u0629 \u0644\u0646 \u062a\u064f\u062f\u062e\u0644 \u0646\u062a\u064a\u062c\u0629 \u0625\u064a\u062c\u0627\u0628\u064a\u0629 \u0643\u0627\u0630\u0628\u0629 \u062a\u062d\u0638\u0631 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0645\u0634\u0631\u0648\u0639\u0629.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u062d\u0627\u0644\u0627\u062a \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>policy\/tags_test.rego<\/code>:<\/p>\n<pre><code>package main\n\ntest_latest_denied {\n  input := {\n    \"kind\": \"Deployment\",\n    \"spec\": {\n      \"template\": {\n        \"spec\": {\n          \"containers\": [\n            {\n              \"name\": \"app\",\n              \"image\": \"nginx:latest\"\n            }\n          ]\n        }\n      }\n    }\n  }\n  count(deny) > 0\n}\n\ntest_no_tag_denied {\n  input := {\n    \"kind\": \"Deployment\",\n    \"spec\": {\n      \"template\": {\n        \"spec\": {\n          \"containers\": [\n            {\n              \"name\": \"app\",\n              \"image\": \"nginx\"\n            }\n          ]\n        }\n      }\n    }\n  }\n  count(deny) > 0\n}\n\ntest_pinned_allowed {\n  input := {\n    \"kind\": \"Deployment\",\n    \"spec\": {\n      \"template\": {\n        \"spec\": {\n          \"containers\": [\n            {\n              \"name\": \"app\",\n              \"image\": \"nginx:1.25.4\"\n            }\n          ]\n        }\n      }\n    }\n  }\n  count(deny) == 0\n}<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a<\/h3>\n<pre><code>opa test policy\/ -v<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>policy\/tags_test.rego:\ndata.main.test_latest_denied: PASS (1.234ms)\ndata.main.test_no_tag_denied: PASS (0.567ms)\ndata.main.test_pinned_allowed: PASS (0.432ms)\n--------------------------------------------------------------------------------\nPASS: 3\/3<\/code><\/pre>\n<h3>\u0644\u0645\u0627\u0630\u0627 \u064a\u064f\u0639\u062f\u0651 \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0645\u0647\u0645\u064b\u0627<\/h3>\n<p>\u0641\u064a \u0633\u064a\u0627\u0642 CI\/CD\u060c \u0627\u0644\u0646\u062a\u064a\u062c\u0629 \u0627\u0644\u0633\u0644\u0628\u064a\u0629 \u0627\u0644\u0643\u0627\u0630\u0628\u0629 \u062a\u0639\u0646\u064a \u0623\u0646\u0651 \u0645\u0644\u0641\u064b\u0627 \u063a\u064a\u0631 \u0622\u0645\u0646 \u064a\u062a\u0633\u0644\u0651\u0644\u060c \u0628\u064a\u0646\u0645\u0627 \u0627\u0644\u0646\u062a\u064a\u062c\u0629 \u0627\u0644\u0625\u064a\u062c\u0627\u0628\u064a\u0629 \u0627\u0644\u0643\u0627\u0630\u0628\u0629 \u062a\u062d\u0638\u0631 \u0646\u0634\u0631\u064b\u0627 \u0645\u0634\u0631\u0648\u0639\u064b\u0627 \u0648\u062a\u064f\u0641\u0642\u062f \u0627\u0644\u0645\u0637\u0648\u0651\u0631\u064a\u0646 \u062b\u0642\u062a\u0647\u0645 \u0641\u064a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628. \u0628\u0643\u062a\u0627\u0628\u0629 \u062d\u0627\u0644\u0627\u062a \u0627\u062e\u062a\u0628\u0627\u0631 \u0635\u0631\u064a\u062d\u0629 \u0644\u0643\u0644\u0651 \u0645\u0646 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u0645\u0633\u0645\u0648\u062d\u0629 \u0648\u0627\u0644\u0645\u0631\u0641\u0648\u0636\u0629\u060c \u062a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u0629 \u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0627\u0646\u062d\u062f\u0627\u0631 \u062a\u0639\u0645\u0644 \u0641\u064a \u0623\u062c\u0632\u0627\u0621 \u0645\u0646 \u0627\u0644\u062b\u0627\u0646\u064a\u0629 \u0648\u062a\u0636\u0645\u0646 \u0623\u0646\u0651 \u0633\u064a\u0627\u0633\u0627\u062a\u0643 \u062a\u062a\u0635\u0631\u0651\u0641 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d \u0645\u0639 \u0646\u0645\u0648 \u0645\u0643\u062a\u0628\u0629 \u0627\u0644\u0642\u0648\u0627\u0639\u062f.<\/p>\n<p>\u0627\u062c\u0639\u0644 \u0645\u0646 \u0639\u0627\u062f\u062a\u0643 \u0625\u0636\u0627\u0641\u0629 \u0645\u0644\u0641 <code>*_test.rego<\/code> \u0644\u0643\u0644\u0651 \u0645\u0644\u0641 \u0633\u064a\u0627\u0633\u0629 \u062c\u062f\u064a\u062f. \u0634\u063a\u0651\u0644 <code>opa test policy\/ -v<\/code> \u0643\u062c\u0632\u0621 \u0645\u0646 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI \u0625\u0644\u0649 \u062c\u0627\u0646\u0628 <code>conftest test<\/code>.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 6: \u062f\u0645\u062c Conftest \u0641\u064a GitHub Actions<\/h2>\n<p>\u0628\u0639\u062f \u0643\u062a\u0627\u0628\u0629 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0648\u0627\u062e\u062a\u0628\u0627\u0631\u0647\u0627\u060c \u0627\u0644\u062e\u0637\u0648\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0647\u064a \u0631\u0628\u0637\u0647\u0627 \u0628\u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI \u0644\u062f\u064a\u0643 \u0628\u062d\u064a\u062b \u064a\u062a\u0645 \u0627\u0644\u062a\u062d\u0642\u0651\u0642 \u0645\u0646 \u0643\u0644\u0651 \u0637\u0644\u0628 \u062f\u0645\u062c \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/workflows\/policy-check.yml<\/code>:<\/p>\n<pre><code>name: Kubernetes Policy Check\n\non:\n  pull_request:\n    paths:\n      - \"k8s\/**\"\n      - \"policy\/**\"\n  push:\n    branches: [main]\n    paths:\n      - \"k8s\/**\"\n      - \"policy\/**\"\n\njobs:\n  conftest:\n    name: Validate K8s Manifests\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions\/checkout@v4\n\n      - name: Install Conftest\n        run: |\n          CONFTEST_VERSION=\"0.56.0\"\n          wget -q \"https:\/\/github.com\/open-policy-agent\/conftest\/releases\/download\/v${CONFTEST_VERSION}\/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz\"\n          tar xzf \"conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz\"\n          sudo mv conftest \/usr\/local\/bin\/\n          conftest --version\n\n      - name: Install OPA\n        run: |\n          OPA_VERSION=\"v0.68.0\"\n          curl -L -o opa \"https:\/\/openpolicyagent.org\/downloads\/${OPA_VERSION}\/opa_linux_amd64_static\"\n          chmod +x opa\n          sudo mv opa \/usr\/local\/bin\/\n          opa version\n\n      - name: Run policy unit tests\n        run: opa test policy\/ -v\n\n      - name: Run Conftest against all manifests\n        run: |\n          echo \"Scanning all Kubernetes manifests in k8s\/ ...\"\n          FAILED=0\n          for file in k8s\/*.yaml; do\n            echo \"\"\n            echo \"--- Testing: $file ---\"\n            if ! conftest test \"$file\" --policy policy\/; then\n              FAILED=1\n            fi\n          done\n          if [ \"$FAILED\" -eq 1 ]; then\n            echo \"\"\n            echo \"One or more manifests violated policy. Fix the issues above.\"\n            exit 1\n          fi\n          echo \"\"\n          echo \"All manifests passed policy checks.\"<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0645\u0644\u0627\u062d\u0638\u0629 \u0637\u0644\u0628 \u062f\u0645\u062c \u0641\u0627\u0634\u0644<\/h3>\n<p>\u0627\u062f\u0641\u0639 \u0641\u0631\u0639\u064b\u0627 \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629. \u0633\u062a\u0628\u062f\u0648 \u0645\u062e\u0631\u062c\u0627\u062a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0643\u0627\u0644\u062a\u0627\u0644\u064a:<\/p>\n<pre><code>--- Testing: k8s\/deployment-latest-tag.yaml ---\nFAIL - k8s\/deployment-latest-tag.yaml - main - Container 'nginx' uses the ':latest' tag in image 'nginx:latest'. Pin to a specific version.\n\n--- Testing: k8s\/deployment-run-as-root.yaml ---\nFAIL - k8s\/deployment-run-as-root.yaml - main - Container 'nginx' must set securityContext.runAsNonRoot to true.\nFAIL - k8s\/deployment-run-as-root.yaml - main - Container 'nginx' must set securityContext.allowPrivilegeEscalation to false.\n\n--- Testing: k8s\/pod-host-network.yaml ---\nFAIL - k8s\/pod-host-network.yaml - main - Pod 'debug-pod' must not use hostNetwork: true.\n\nOne or more manifests violated policy. Fix the issues above.\nError: Process completed with exit code 1.<\/code><\/pre>\n<p>\u064a\u062a\u062d\u0648\u0651\u0644 \u0641\u062d\u0635 \u062d\u0627\u0644\u0629 \u0637\u0644\u0628 \u0627\u0644\u062f\u0645\u062c \u0625\u0644\u0649 \u0627\u0644\u0644\u0648\u0646 \u0627\u0644\u0623\u062d\u0645\u0631 \u0645\u0639 \u0631\u0633\u0627\u0626\u0644 \u0627\u0646\u062a\u0647\u0627\u0643 \u0648\u0627\u0636\u062d\u0629 \u062a\u062e\u0628\u0631 \u0627\u0644\u0645\u0637\u0648\u0651\u0631 \u0628\u0627\u0644\u0636\u0628\u0637 \u0628\u0645\u0627 \u064a\u062c\u0628 \u0625\u0635\u0644\u0627\u062d\u0647 \u0648\u0623\u064a\u0646.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0645\u0644\u0627\u062d\u0638\u0629 \u0637\u0644\u0628 \u062f\u0645\u062c \u0646\u0627\u062c\u062d<\/h3>\n<p>\u0623\u0635\u0644\u062d \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0643\u0645\u0627 \u0647\u0648 \u0645\u0648\u0636\u0651\u062d \u0641\u064a \u0627\u0644\u062a\u0645\u0627\u0631\u064a\u0646 \u0627\u0644\u0633\u0627\u0628\u0642\u0629\u060c \u0627\u062f\u0641\u0639 \u0645\u062c\u062f\u062f\u064b\u0627\u060c \u0648\u0633\u064a\u0645\u0631\u0651 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628:<\/p>\n<pre><code>--- Testing: k8s\/deployment-latest-tag.yaml ---\n1 test, 1 passed, 0 warnings, 0 failures\n\n--- Testing: k8s\/deployment-run-as-root.yaml ---\n1 test, 1 passed, 0 warnings, 0 failures\n\n--- Testing: k8s\/deployment-no-limits.yaml ---\n1 test, 1 passed, 0 warnings, 0 failures\n\nAll manifests passed policy checks.<\/code><\/pre>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 7: \u062f\u0645\u062c Conftest \u0641\u064a GitLab CI<\/h2>\n<p>\u0625\u0630\u0627 \u0643\u0627\u0646 \u0641\u0631\u064a\u0642\u0643 \u064a\u0633\u062a\u062e\u062f\u0645 GitLab\u060c \u0641\u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0628\u0646\u0641\u0633 \u0627\u0644\u0633\u0647\u0648\u0644\u0629. \u0623\u0636\u0641 \u0627\u0644\u0648\u0638\u064a\u0641\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0625\u0644\u0649 \u0645\u0644\u0641 <code>.gitlab-ci.yml<\/code>:<\/p>\n<h3>\u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0643\u0627\u0645\u0644 \u0627\u0644\u0639\u0627\u0645\u0644<\/h3>\n<pre><code>stages:\n  - validate\n\nconftest-policy-check:\n  stage: validate\n  image: alpine:3.19\n  variables:\n    CONFTEST_VERSION: \"0.56.0\"\n    OPA_VERSION: \"v0.68.0\"\n  before_script:\n    - apk add --no-cache curl wget tar\n    - wget -q \"https:\/\/github.com\/open-policy-agent\/conftest\/releases\/download\/v${CONFTEST_VERSION}\/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz\"\n    - tar xzf \"conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz\"\n    - mv conftest \/usr\/local\/bin\/\n    - curl -L -o \/usr\/local\/bin\/opa \"https:\/\/openpolicyagent.org\/downloads\/${OPA_VERSION}\/opa_linux_amd64_static\"\n    - chmod +x \/usr\/local\/bin\/opa\n  script:\n    - echo \"Running policy unit tests...\"\n    - opa test policy\/ -v\n    - echo \"Running Conftest against all manifests...\"\n    - |\n      FAILED=0\n      for file in k8s\/*.yaml; do\n        echo \"\"\n        echo \"--- Testing: $file ---\"\n        if ! conftest test \"$file\" --policy policy\/; then\n          FAILED=1\n        fi\n      done\n      if [ \"$FAILED\" -eq 1 ]; then\n        echo \"\"\n        echo \"One or more manifests violated policy.\"\n        exit 1\n      fi\n      echo \"\"\n      echo \"All manifests passed policy checks.\"\n  rules:\n    - changes:\n        - k8s\/**\/*\n        - policy\/**\/*\n      when: always<\/code><\/pre>\n<h3>\u0633\u0644\u0648\u0643 \u0627\u0644\u0646\u062c\u0627\u062d \u0648\u0627\u0644\u0641\u0634\u0644<\/h3>\n<p>\u064a\u0639\u0643\u0633 \u0627\u0644\u0633\u0644\u0648\u0643 \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0628\u0627\u0644\u0636\u0628\u0637. \u0639\u0646\u062f \u0648\u062c\u0648\u062f \u0645\u0644\u0641\u0627\u062a \u063a\u064a\u0631 \u0622\u0645\u0646\u0629\u060c \u062a\u0641\u0634\u0644 \u0627\u0644\u0648\u0638\u064a\u0641\u0629 \u0645\u0639 \u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0643. \u0639\u0646\u062f\u0645\u0627 \u062a\u0643\u0648\u0646 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0645\u062a\u0648\u0627\u0641\u0642\u0629\u060c \u062a\u0645\u0631\u0651 \u0627\u0644\u0648\u0638\u064a\u0641\u0629 \u0628\u0645\u0644\u062e\u0651\u0635 \u0646\u0638\u064a\u0641. \u064a\u0636\u0645\u0646 \u0642\u0633\u0645 <code>rules<\/code> \u0623\u0646\u0651 \u0627\u0644\u0648\u0638\u064a\u0641\u0629 \u062a\u0639\u0645\u0644 \u0641\u0642\u0637 \u0639\u0646\u062f \u062a\u063a\u064a\u064a\u0631 \u0645\u0644\u0641\u0627\u062a Kubernetes \u0623\u0648 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0633\u064a\u0627\u0633\u0629\u060c \u0645\u0645\u0627 \u064a\u062d\u0627\u0641\u0638 \u0639\u0644\u0649 \u0648\u0642\u062a \u062a\u0634\u063a\u064a\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0641\u064a \u062d\u062f\u0651\u0647 \u0627\u0644\u0623\u062f\u0646\u0649.<\/p>\n<h2>\u0645\u062a\u0642\u062f\u0651\u0645: \u0627\u0644\u062a\u062d\u0630\u064a\u0631\u0627\u062a \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0631\u0641\u0636<\/h2>\n<p>\u0644\u064a\u0633 \u0643\u0644\u0651 \u0627\u0646\u062a\u0647\u0627\u0643 \u0644\u0644\u0633\u064a\u0627\u0633\u0629 \u064a\u062c\u0628 \u0623\u0646 \u064a\u062d\u0638\u0631 \u0627\u0644\u0646\u0634\u0631. \u0628\u0639\u0636\u0647\u0627 \u062a\u0648\u0635\u064a\u0627\u062a \u2014 \u0623\u0641\u0636\u0644 \u0645\u0645\u0627\u0631\u0633\u0627\u062a \u062a\u0631\u064a\u062f \u0625\u0638\u0647\u0627\u0631\u0647\u0627 \u062f\u0648\u0646 \u0643\u0633\u0631 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628. \u064a\u062f\u0639\u0645 Conftest \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u064a\u064a\u0632 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0642\u0648\u0627\u0639\u062f <code>warn<\/code>.<\/p>\n<h3>\u0643\u064a\u0641 \u064a\u0639\u0645\u0644<\/h3>\n<ul>\n<li><strong><code>deny[msg]<\/code><\/strong> \u2014 \u0628\u0648\u0627\u0628\u0629 \u0635\u0627\u0631\u0645\u0629. \u0625\u0630\u0627 \u0623\u064f\u0637\u0644\u0642\u062a \u0623\u064a\u0651 \u0642\u0627\u0639\u062f\u0629 deny\u060c \u064a\u062e\u0631\u062c <code>conftest test<\/code> \u0628\u0643\u0648\u062f \u063a\u064a\u0631 \u0635\u0641\u0631\u064a \u0648\u064a\u0641\u0634\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628.<\/li>\n<li><strong><code>warn[msg]<\/code><\/strong> \u2014 \u0627\u0633\u062a\u0634\u0627\u0631\u064a. \u062a\u064f\u0637\u0628\u0639 \u0627\u0644\u0631\u0633\u0627\u0644\u0629 \u0644\u0643\u0646 \u064a\u0628\u0642\u0649 \u0643\u0648\u062f \u0627\u0644\u062e\u0631\u0648\u062c \u0635\u0641\u0631\u064b\u0627\u060c \u0641\u064a\u0645\u0631\u0651 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628.<\/li>\n<li><strong><code>conftest test --fail-on-warn<\/code><\/strong> \u2014 \u064a\u0631\u0641\u0639 \u0627\u062e\u062a\u064a\u0627\u0631\u064a\u064b\u0627 \u062c\u0645\u064a\u0639 \u0627\u0644\u062a\u062d\u0630\u064a\u0631\u0627\u062a \u0625\u0644\u0649 \u0625\u062e\u0641\u0627\u0642\u0627\u062a. \u0645\u0641\u064a\u062f \u0639\u0646\u062f\u0645\u0627 \u062a\u0631\u064a\u062f \u062a\u0634\u062f\u064a\u062f \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u062a\u062f\u0631\u064a\u062c\u064a\u064b\u0627: \u0627\u0628\u062f\u0623 \u0628\u0640 <code>warn<\/code>\u060c \u0648\u0628\u0645\u062c\u0631\u062f \u0623\u0646 \u062a\u064f\u0635\u0644\u062d \u0627\u0644\u0641\u0631\u0642 \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0643\u0627\u062a \u0627\u0644\u0645\u0648\u062c\u0648\u062f\u0629\u060c \u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 <code>deny<\/code> \u0623\u0648 \u0641\u0639\u0651\u0644 <code>--fail-on-warn<\/code>.<\/li>\n<\/ul>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0627\u0633\u0629 \u0627\u0633\u062a\u0634\u0627\u0631\u064a\u0629<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>policy\/recommendations.rego<\/code>:<\/p>\n<pre><code>package main\n\nwarn[msg] {\n  input.kind == \"Service\"\n  input.spec.type == \"LoadBalancer\"\n  not input.metadata.annotations\n  msg := sprintf(\"Service '%s' is of type LoadBalancer with no annotations. Consider adding cloud-provider-specific annotations for internal load balancers.\", [input.metadata.name])\n}\n\nwarn[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  not container.readinessProbe\n  msg := sprintf(\"Container '%s' has no readinessProbe. Add one so Kubernetes can route traffic only to healthy pods.\", [container.name])\n}\n\nwarn[msg] {\n  input.kind == \"Deployment\"\n  container := input.spec.template.spec.containers[_]\n  not container.livenessProbe\n  msg := sprintf(\"Container '%s' has no livenessProbe. Add one so Kubernetes can restart unhealthy pods.\", [container.name])\n}<\/code><\/pre>\n<h3>\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u0627\u0633\u062a\u0634\u0627\u0631\u064a\u0629<\/h3>\n<pre><code>conftest test k8s\/service-loadbalancer.yaml<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>WARN - k8s\/service-loadbalancer.yaml - main - Service 'web-lb' is of type LoadBalancer with no annotations. Consider adding cloud-provider-specific annotations for internal load balancers.\n\n1 test, 1 passed, 1 warning, 0 failures<\/code><\/pre>\n<p>\u0645\u0644\u0627\u062d\u0638\u0629: \u0643\u0648\u062f \u0627\u0644\u062e\u0631\u0648\u062c \u0647\u0648 <code>0<\/code> \u2014 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0644\u0627 \u064a\u0632\u0627\u0644 \u064a\u0645\u0631\u0651. \u0625\u0630\u0627 \u0623\u0631\u062f\u062a \u0641\u0631\u0636 \u0627\u0644\u062a\u062d\u0630\u064a\u0631\u0627\u062a:<\/p>\n<pre><code>conftest test k8s\/service-loadbalancer.yaml --fail-on-warn<\/code><\/pre>\n<p>\u0627\u0644\u0622\u0646 \u0643\u0648\u062f \u0627\u0644\u062e\u0631\u0648\u062c \u0647\u0648 <code>1<\/code> \u0648\u0633\u064a\u0641\u0634\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628.<\/p>\n<p>\u064a\u062a\u064a\u062d \u0644\u0643 \u0647\u0630\u0627 \u0627\u0644\u0646\u0645\u0637 \u0637\u0631\u062d \u0633\u064a\u0627\u0633\u0627\u062a \u062c\u062f\u064a\u062f\u0629 \u062a\u062f\u0631\u064a\u062c\u064a\u064b\u0627: \u0642\u062f\u0651\u0645\u0647\u0627 \u0643\u062a\u062d\u0630\u064a\u0631\u0627\u062a\u060c \u0648\u0627\u0645\u0646\u062d \u0627\u0644\u0641\u0631\u0642 \u0648\u0642\u062a\u064b\u0627 \u0644\u0644\u0645\u0639\u0627\u0644\u062c\u0629\u060c \u062b\u0645 \u0627\u0631\u0641\u0639\u0647\u0627 \u0625\u0644\u0649 \u0631\u0641\u0636.<\/p>\n<h2>\u0627\u0644\u062a\u0646\u0638\u064a\u0641<\/h2>\n<p>\u0639\u0646\u062f \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0621 \u0645\u0646 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0627\u062d\u0630\u0641 \u0645\u0648\u0627\u0631\u062f \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631:<\/p>\n<pre><code># Remove the lab directory\nrm -rf conftest-k8s-lab\n\n# If you deployed any fixed manifests to a test cluster\nkubectl delete -f k8s\/ --ignore-not-found\n\n# If you created a kind cluster for this lab\nkind delete cluster --name conftest-lab<\/code><\/pre>\n<h2>\u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h2>\n<ul>\n<li><strong>\u0627\u0646\u0642\u0644 \u0627\u0644\u0623\u0645\u0627\u0646 \u0625\u0644\u0649 \u0627\u0644\u064a\u0633\u0627\u0631 \u0628\u0642\u0648\u0629.<\/strong> \u0627\u0643\u062a\u0634\u0627\u0641 \u0645\u0644\u0641 \u0645\u064f\u0647\u064a\u064e\u0651\u0623 \u0628\u0634\u0643\u0644 \u062e\u0627\u0637\u0626 \u0641\u064a \u0637\u0644\u0628 \u062f\u0645\u062c \u0623\u0631\u062e\u0635 \u0628\u0623\u0636\u0639\u0627\u0641 \u0645\u0646 \u0627\u0643\u062a\u0634\u0627\u0641\u0647 \u0628\u0639\u062f \u0627\u062e\u062a\u0631\u0627\u0642.<\/li>\n<li><strong>Conftest + Rego \u0646\u0642\u0637\u0629 \u062f\u062e\u0648\u0644 \u062e\u0641\u064a\u0641\u0629 \u0644\u0633\u064a\u0627\u0633\u0629 \u0643\u0634\u064a\u0641\u0631\u0629.<\/strong> \u0644\u0627 \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u062e\u0627\u062f\u0645 OPA \u0643\u0627\u0645\u0644 \u0623\u0648 \u062a\u062b\u0628\u064a\u062a Gatekeeper \u0644\u0628\u062f\u0621 \u0641\u0631\u0636 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u2014 \u0645\u0644\u0641 \u062a\u0646\u0641\u064a\u0630\u064a \u0648\u0627\u062d\u062f \u0648\u0628\u0636\u0639\u0629 \u0645\u0644\u0641\u0627\u062a Rego \u0643\u0627\u0641\u064a\u0629.<\/li>\n<li><strong>\u0627\u062e\u062a\u0628\u0631 \u0633\u064a\u0627\u0633\u0627\u062a\u0643 \u0643\u0634\u064a\u0641\u0631\u0629 \u062a\u0637\u0628\u064a\u0642.<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645 <code>opa test<\/code> \u0645\u0639 \u062d\u0627\u0644\u0627\u062a \u0627\u062e\u062a\u0628\u0627\u0631 \u0635\u0631\u064a\u062d\u0629 \u0625\u064a\u062c\u0627\u0628\u064a\u0629 \u0648\u0633\u0644\u0628\u064a\u0629 \u0644\u0645\u0646\u0639 \u0627\u0644\u062a\u0631\u0627\u062c\u0639\u0627\u062a \u0641\u064a \u0645\u0643\u062a\u0628\u0629 \u0627\u0644\u0642\u0648\u0627\u0639\u062f.<\/li>\n<li><strong>\u0627\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u062a\u062d\u0630\u064a\u0631\u0627\u062a \u0644\u0644\u0637\u0631\u062d \u0627\u0644\u062a\u062f\u0631\u064a\u062c\u064a.<\/strong> \u0627\u0628\u062f\u0623 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u0643\u0642\u0648\u0627\u0639\u062f <code>warn<\/code>\u060c \u0648\u0646\u0634\u0631\u0647\u0627 \u0645\u0639 \u0627\u0644\u0641\u0631\u064a\u0642\u060c \u062b\u0645 \u0627\u0631\u0641\u0639\u0647\u0627 \u0625\u0644\u0649 <code>deny<\/code> \u0628\u0645\u062c\u0631\u062f \u062d\u0644\u0651 \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0643\u0627\u062a \u0627\u0644\u0645\u0648\u062c\u0648\u062f\u0629.<\/li>\n<li><strong>\u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u062e\u0637\u0623 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0646\u0641\u064a\u0630 \u062d\u0627\u0633\u0645\u0629.<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645 <code>sprintf<\/code> \u0641\u064a \u0643\u0644\u0651 \u0642\u0627\u0639\u062f\u0629 \u0644\u0625\u062e\u0628\u0627\u0631 \u0627\u0644\u0645\u0637\u0648\u0651\u0631 \u0628\u0623\u064a\u0651 \u062d\u0627\u0648\u064a\u0629 \u0648\u0623\u064a\u0651 \u062d\u0642\u0644 \u0648\u0645\u0627\u0630\u0627 \u064a\u0641\u0639\u0644 \u062d\u064a\u0627\u0644 \u0630\u0644\u0643. \u0627\u0644\u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u0639\u0627\u0645\u0629 &#8220;\u062a\u0645 \u0627\u0646\u062a\u0647\u0627\u0643 \u0627\u0644\u0633\u064a\u0627\u0633\u0629&#8221; \u062a\u064f\u0641\u0642\u062f \u0627\u0644\u062b\u0642\u0629 \u0641\u064a \u0628\u0648\u0627\u0628\u0627\u062a CI.<\/li>\n<li><strong>\u0627\u062d\u062a\u0641\u0638 \u0628\u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0641\u064a \u0646\u0641\u0633 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0645\u0644\u0641\u0627\u062a.<\/strong> \u0648\u0636\u0639 <code>policy\/<\/code> \u0628\u062c\u0627\u0646\u0628 <code>k8s\/<\/code> \u064a\u0639\u0646\u064a \u0623\u0646\u0651 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u062a\u0645\u0631\u0651 \u0628\u0646\u0641\u0633 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0629 \u0643\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629<\/h2>\n<p>\u0627\u0644\u0622\u0646 \u0628\u0639\u062f \u0623\u0646 \u0623\u0635\u0628\u062d \u0644\u062f\u064a\u0643 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 Conftest \u0639\u0627\u0645\u0644\u060c \u0648\u0627\u0635\u0644 \u0628\u0646\u0627\u0621 \u0645\u0645\u0627\u0631\u0633\u0629 \u0633\u064a\u0627\u0633\u0629 \u0643\u0634\u064a\u0641\u0631\u0629:<\/p>\n<ul>\n<li><strong><a href=\"\/ar\/ci-cd-security\/policy-as-code-ci-cd-opa-rego-security-gates\/\">\u0633\u064a\u0627\u0633\u0629 \u0643\u0634\u064a\u0641\u0631\u0629 \u0644\u0640 CI\/CD: OPA \u0648Rego<\/a><\/strong> \u2014 \u062a\u0639\u0645\u0651\u0642 \u0623\u0643\u062b\u0631 \u0641\u064a \u0644\u063a\u0629 Rego\u060c \u0648\u062a\u0639\u0644\u0651\u0645 \u0639\u0646 \u0627\u0633\u062a\u064a\u0631\u0627\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u062d\u0632\u0645 \u0648\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u0642\u0631\u0627\u0631\u0627\u062a \u0644\u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u062a\u062f\u0642\u064a\u0642.<\/li>\n<li><strong><a href=\"\/ar\/ci-cd-security\/defensive-patterns-mitigations-ci-cd-pipeline-attacks\/\">\u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u062f\u0641\u0627\u0639\u064a\u0629 \u0648\u0627\u0644\u062a\u062e\u0641\u064a\u0641\u0627\u062a<\/a><\/strong> \u2014 \u0627\u0633\u062a\u0643\u0634\u0641 \u0627\u0644\u0645\u0634\u0647\u062f \u0627\u0644\u0623\u0648\u0633\u0639 \u0644\u062a\u0639\u0632\u064a\u0632 \u0623\u0645\u0627\u0646 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD\u060c \u0645\u0646 \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0625\u0644\u0649 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0642\u0637\u0639 \u0627\u0644\u0623\u062b\u0631\u064a\u0629 \u0648\u0627\u0644\u062a\u0637\u0628\u064a\u0642 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u0634\u063a\u064a\u0644.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629 \u062a\u064f\u0639\u062f\u0651 \u0645\u0644\u0641\u0627\u062a Kubernetes \u0627\u0644\u0645\u064f\u0647\u064a\u064e\u0651\u0623\u0629 \u0628\u0634\u0643\u0644 \u062e\u0627\u0637\u0626 \u0645\u0646 \u0623\u0628\u0631\u0632 \u0623\u0633\u0628\u0627\u0628 \u0627\u0644\u062d\u0648\u0627\u062f\u062b \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0641\u062d\u0627\u0648\u064a\u0629 \u062a\u0639\u0645\u0644 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a root\u060c \u0623\u0648 \u0648\u0633\u0645 \u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0645\u064f\u062b\u0628\u064e\u0651\u062a\u060c \u0623\u0648 \u062d\u062f\u0651 \u0645\u0648\u0627\u0631\u062f \u0645\u0641\u0642\u0648\u062f\u060c \u0623\u0648 \u0634\u0628\u0643\u0629 \u0645\u0636\u064a\u0641 \u0645\u0643\u0634\u0648\u0641\u0629 \u2014 \u0643\u0644\u0651 \u0648\u0627\u062d\u062f\u0629 \u0645\u0646 \u0647\u0630\u0647 \u0642\u062f \u062a\u0641\u062a\u062d \u0627\u0644\u0628\u0627\u0628 \u0623\u0645\u0627\u0645 \u062a\u0635\u0639\u064a\u062f \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0623\u0648 \u0627\u0633\u062a\u0646\u0632\u0627\u0641 \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0623\u0648 \u0627\u0644\u062d\u0631\u0643\u0629 \u0627\u0644\u062c\u0627\u0646\u0628\u064a\u0629 \u062f\u0627\u062e\u0644 \u0639\u0646\u0642\u0648\u062f\u0643. \u0627\u0644\u0645\u0634\u0643\u0644\u0629 \u0623\u0646\u0651 \u0647\u0630\u0647 &#8230; <a title=\"\u0645\u062e\u062a\u0628\u0631 \u0639\u0645\u0644\u064a: \u0641\u0631\u0636 \u0633\u064a\u0627\u0633\u0627\u062a \u0646\u0634\u0631 Kubernetes \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 OPA Conftest \u0641\u064a CI\/CD\" class=\"read-more\" href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-enforcing-kubernetes-policies-opa-conftest-ci-cd\/\" aria-label=\"Read more about \u0645\u062e\u062a\u0628\u0631 \u0639\u0645\u0644\u064a: \u0641\u0631\u0636 \u0633\u064a\u0627\u0633\u0627\u062a \u0646\u0634\u0631 Kubernetes \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 OPA Conftest \u0641\u064a CI\/CD\">\u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,67,28],"tags":[],"post_folder":[],"class_list":["post-813","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-labs","category-pipeline-hardening"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/813","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=813"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/813\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=813"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}