ec inspect policy
Read policies from source urls and show information about the rules inside them
Synopsis
Read policies from a source url and show information about the rules inside them.
This fetches policy sources similar to the 'ec fetch policy' command, but once the policy is fetched the equivalent of 'opa inspect' is run against the downloaded policies.
This can be used to extract information about each rule in the policy source, including the rule annotations which include the rule’s title and description and custom fields used by ec to filter the results produced by conftest.
Note that this command is not typically required to verify the Enterprise Contract. It has been made available for troubleshooting and debugging purposes.
ec inspect policy --source <source-url> [flags]Examples
Print a list of rules and their descriptions from the latest Enterprise Contract release policy:
ec inspect policy --source quay.io/enterprise-contract/ec-release-policy
Display details about the latest Enterprise Contract release policy in json format:
ec inspect policy --source quay.io/enterprise-contract/ec-release-policy -o json | jq
Options
- --collection
-
display rules included in given collection
- -d, --dest
-
use the specified destination directory to download the policy. if not set, a temporary directory will be used
- -h, --help
-
help for policy (Default: false)
- -o, --output
-
output format. one of: json, text, names, short-names (Default: text)
- --package
-
display results matching package name
- -p, --policy
-
reference to the policy configuration, either EnterpriseContractPolicy Kubernetes custom resource reference [<namespace>/]<name>, or inline JSON or YAML of the
specpart - --rule
-
display results matching rule name
- -s, --source
-
policy source url. multiple values are allowed (Default: [])
Options inherited from parent commands
- --debug
-
same as verbose but also show function names and line numbers (Default: false)
- --kubeconfig
-
path to the Kubernetes config file to use
- --logfile
-
file to write the logging output. If not specified logging output will be written to stderr
- --quiet
-
less verbose output (Default: false)
- --timeout
-
max overall execution duration (Default: 5m0s)
- --trace
-
enable trace logging, set one or more comma separated values: none,all,perf,cpu,mem,opa,log (Default: none)
- --verbose
-
more verbose output (Default: false)