ADR-MB-007: manifest tests

Status

Accepted

As our Kubernetes infrastructure grows, we need to ensure that all deployed manifests adhere to our policies and security standards.

Without automated policy validation, we risk:

We will use Conftest for Kubernetes manifest policy testing, with policies written in Rego (Open Policy Agent language).

Tool	Pros	Cons	Decision
Conftest	- Simple CLI integration - Rego policy language - Flexible input formats - Good CI/CD integration	- Smaller community - Fewer pre-built policies	✅ Selected
Kyverno	- Kubernetes-native - YAML-based policies - Larger community - More examples available	- More complex setup - Kubernetes-specific only - More verbose policy syntax	❌ Not selected
Gatekeeper	- Kubernetes admission controller - Runtime enforcement - OPA integration	- Complex setup - Requires cluster deployment - Overhead for simple validation	❌ Not selected
Polaris	- Good dashboard - Pre-built policies - Easy to start	- Limited customization - No custom policy language	❌ Not selected

Pros:

✅ Developer Experience: Simple CLI tool that integrates well with existing workflows
✅ Flexibility: Rego allows complex policy logic and custom validation rules
✅ CI/CD Integration: Easy to integrate into GitHub Actions and other CI systems
✅ Multi-format Support: Works with YAML, JSON, and other structured data formats
✅ Offline Testing: Can validate manifests without requiring a Kubernetes cluster
✅ Extensibility: Easy to add new policies as requirements evolve

Cons:

❌ Learning Curve: Team needs to learn Rego syntax for policy development
❌ Community Size: Smaller community compared to Kyverno, fewer examples available
❌ Documentation: Less comprehensive documentation and tutorials
❌ Runtime Enforcement: No built-in runtime policy enforcement (validation only)