Eval API¶
The Eval API allows you to evaluate policies and rulesets against various types of input data.
Endpoints¶
Evaluate Policy¶
Evaluate a policy against a provided input.
POST /api/eval/policies/{policy_name}
Path Parameters:
| Parameter | Description |
|---|---|
policy_name |
The name of the policy to evaluate |
curl -X POST "https://<your-instance>.aegis.pegasys.cloud/api/eval/policies/demo" \
-H "Authorization: Bearer <your_token>" \
-H "Content-Type: application/json" \
-d @- <<EOF
{
"_filters": "name=demo or name=deployment",
"labels": {
"source": "api",
"user": "user@example.com"
},
"inputData": {
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "nginx",
"namespace": "kube-app",
"labels": {
"env": "prod",
"app-id": "nginx",
"platform": "kubernetes",
"resource": "deployment"
}
},
"spec": {
"replicas": 0
}
}
}
EOF
{
"_filters": "name=demo or name=deployment",
"labels": {
"source": "api",
"user": "user@example.com"
},
"inputData": {
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "nginx",
"namespace": "kube-app",
"labels": {
"env": "prod",
"app-id": "nginx",
"platform": "kubernetes",
"resource": "deployment"
}
},
"spec": {
"replicas": 0
}
}
}
{
"policy": "demo",
"passed": false,
"rulesets": [
{
"name": "kubernetes-deployment-security",
"passed": false,
"results": [
{
"rule": "enforce-replicas-gt-3",
"status": "failed",
"message": "Deployment must have at least 3 replicas for high availability"
}
]
}
]
}
Evaluate Ruleset¶
Evaluate a ruleset against a provided input.
POST /api/eval/rulesets/{ruleset_name}
Path Parameters:
| Parameter | Description |
|---|---|
ruleset_name |
The name of the ruleset to evaluate |
curl -X POST "https://<your-instance>.aegis.pegasys.cloud/api/eval/rulesets/demo" \
-H "Authorization: Bearer <your_token>" \
-H "Content-Type: application/json" \
-d @- <<EOF
{
"inputData": {
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "nginx",
"namespace": "kube-app",
"labels": {
"project": "nginx"
}
},
"spec": {
"replicas": 1
}
},
"policyName": "deployments"
}
EOF
{
"inputData": {
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "nginx",
"namespace": "kube-app",
"labels": {
"project": "nginx"
}
},
"spec": {
"replicas": 1
}
},
"policyName": "deployments"
}
curl -X POST "https://<your-instance>.aegis.pegasys.cloud/api/eval/rulesets/cloudrun-plan-invoker" \
-H "Authorization: Bearer <your_token>" \
-H "Content-Type: application/json" \
-d @- <<EOF
{
"inputData": {
"format_version": "1.0",
"terraform_version": "1.3.5",
"planned_values": {
"root_module": {
"resources": [
{
"address": "google_cloud_run_service.default",
"mode": "managed",
"type": "google_cloud_run_service",
"name": "default",
"values": {
"name": "my-cloud-run-service",
"location": "us-central1",
"template": {
"spec": {
"containers": [
{
"image": "registry.acme.com/my-project-id/my-app:latest",
"ports": [
{
"container_port": 8080
}
]
}
]
}
}
}
},
{
"address": "google_cloud_run_service_iam_member.invoker_user",
"mode": "managed",
"type": "google_cloud_run_service_iam_member",
"name": "invoker_user",
"values": {
"location": "us-central1",
"service": "my-cloud-run-service",
"role": "roles/run.invoker",
"member": "user:example@example.com"
}
},
{
"address": "google_cloud_run_service_iam_member.invoker_public",
"mode": "managed",
"type": "google_cloud_run_service_iam_member",
"name": "invoker_public",
"values": {
"location": "us-central1",
"service": "my-cloud-run-service",
"role": "roles/run.invoker",
"member": "allUsers"
}
}
]
}
}
}
}
EOF
{
"inputData": {
"format_version": "1.0",
"terraform_version": "1.3.5",
"planned_values": {
"root_module": {
"resources": [
{
"address": "google_cloud_run_service.default",
"mode": "managed",
"type": "google_cloud_run_service",
"name": "default",
"values": {
"name": "my-cloud-run-service",
"location": "us-central1",
"template": {
"spec": {
"containers": [
{
"image": "registry.acme.com/my-project-id/my-app:latest",
"ports": [
{
"container_port": 8080
}
]
}
]
}
}
}
},
{
"address": "google_cloud_run_service_iam_member.invoker_user",
"mode": "managed",
"type": "google_cloud_run_service_iam_member",
"name": "invoker_user",
"values": {
"location": "us-central1",
"service": "my-cloud-run-service",
"role": "roles/run.invoker",
"member": "user:example@example.com"
}
},
{
"address": "google_cloud_run_service_iam_member.invoker_public",
"mode": "managed",
"type": "google_cloud_run_service_iam_member",
"name": "invoker_public",
"values": {
"location": "us-central1",
"service": "my-cloud-run-service",
"role": "roles/run.invoker",
"member": "allUsers"
}
}
]
}
}
}
}
curl -X POST "https://<your-instance>.aegis.pegasys.cloud/api/eval/rulesets/cloudrun-tf" \
-H "Authorization: Bearer <your_token>" \
-H "Content-Type: application/x-yaml" \
-d @- <<EOF
inputData: |
provider "google" {
project = "acme-12345678"
region = "us-central1"
}
resource "google_cloud_run_service" "default" {
name = "my-cloud-run-service"
location = "us-central1"
template {
spec {
containers {
image = "gcr.io/acme-12345678/my-app:latest"
ports {
container_port = 8080
}
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
resource "google_cloud_run_service" "def-2" {
name = "my-cloud-run-service-2"
location = "us-central1"
template {
spec {
containers {
image = "registry.acme.com/acme-12345678/my-app:latest"
ports {
container_port = 8080
}
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
resource "google_cloud_run_service_iam_policy" "public_access" {
location = google_cloud_run_service.default.location
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.noauth.policy_data
}
data "google_iam_policy" "noauth" {
binding {
role = "roles/run.invoker"
members = [
"allUsers",
]
}
}
output "cloud_run_url" {
value = google_cloud_run_service.default.status[0].url
}
EOF
inputData: |
provider "google" {
project = "acme-12345678"
region = "us-central1"
}
resource "google_cloud_run_service" "default" {
name = "my-cloud-run-service"
location = "us-central1"
template {
spec {
containers {
image = "gcr.io/acme-12345678/my-app:latest"
ports {
container_port = 8080
}
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
resource "google_cloud_run_service" "def-2" {
name = "my-cloud-run-service-2"
location = "us-central1"
template {
spec {
containers {
image = "registry.acme.com/acme-12345678/my-app:latest"
ports {
container_port = 8080
}
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
resource "google_cloud_run_service_iam_policy" "public_access" {
location = google_cloud_run_service.default.location
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.noauth.policy_data
}
data "google_iam_policy" "noauth" {
binding {
role = "roles/run.invoker"
members = [
"allUsers",
]
}
}
output "cloud_run_url" {
value = google_cloud_run_service.default.status[0].url
}