Skip to main content

A set of utilities and classes for working with Open Policy Agent based tools, including Gatekeeper and Conftest

Project description

Policy Kit


A set of utilities and classes for working with Open Policy Agent based tools, including Gatekeeper and Conftest.


Policy Kit can be installed from PyPI using pip or similar tools:

pip install policykit


The module provides a CLI tool called pk for using some of the functionality.

$ pk build *.rego
[SecurityControls] Generating a ConstraintTemplate from "SecurityControls.rego"
[SecurityControls] Searching "lib" for additional rego files
[SecurityControls] Adding library from "lib/kubernetes.rego"
[SecurityControls] Saving to "SecurityControls.yaml"

You can also use the tool via Docker:

docker run --rm -it -v $(pwd):/app  garethr/policykit build


This module currently contains several classes, the first for working with ConstraintTemplates in Gatekeeper.

from policykit import ConstraintTemplate

with open(path_to_rego_source_file, "r") as rego:
    ct = ConstraintTemplate(name,

The Conftest class makes interacting with Conftest from Python easy. Note that this requires the conftest executable to be available on the path.

>>> from policykit import Conftest
>>> cli = Conftest("policy")
>>> result = cli.test("deployment.yaml")
>>> result
ConftestRun(code=1, results=[ConftestResult(filename='/Users/garethr/Documents/conftest/examples/kubernetes/deployment.yaml', Warnings=[], Failures=['hello-kubernetes must include Kubernetes recommended labels: ', 'Containers must not run as root in Deployment hello-kubernetes', 'Deployment hello-kubernetes must provide app/release labels for pod selectors'], Successes=[])]
>>> result.success

Passing in a dictionary to json_input is parsed as JSON then sent as stdin to the confest executable.

from policykit import Conftest

result = Conftest("policy").test(json_input={"foo": "bar"})


Policy Kit can also be easily used in GitHub Actions, using the following Action. This example also demonstrates committing the generated files back into the Git repository. Update the the values in <> as required.

on: push
name: Gatekeeper
    runs-on: ubuntu-latest
    - uses: actions/checkout@master
    - name: Generate ConstraintTemplates for Gatekeeper
      uses: garethr/policykit/action@master
        args: <directory-of-rego-source-files>
    - name: Commit to repository
        GITHUB_TOKEN: ${{ secrets.github_token }}
        COMMIT_MSG: |
          Generated new ConstraintTemplates from Rego source
          skip-checks: true
      run: |
        # Hard-code user config
        git config "<your-email-address>"
        git config "<your-username>"
        git config --get-regexp "user\.(name|email)"
        # Update origin with token
        git remote set-url origin https://x-access-token:${GITHUB_TOKEN}${GITHUB_REPOSITORY}.git
        # Checkout the branch so we can push back to it
        git checkout master
        git add .
        # Only commit and push if we have changes
        git diff --quiet && git diff --staged --quiet || (git commit -m "${COMMIT_MSG}"; git push origin master


A few caveats for anyone trying to use this module.

  • Loading libraries with lib is only supported in Gatekeeper HEAD today but should be in the next release.
  • This module does not support parameterized ConstraintTemplates

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for policykit, version 0.4.0
Filename, size File type Python version Upload date Hashes
Filename, size policykit-0.4.0-py3-none-any.whl (8.9 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size policykit-0.4.0.tar.gz (9.1 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page