Kubernetes OPA Gatekeeper

Mwandishi halisi wa ukurasa huu ni Guillaume

Maelezo

Open Policy Agent (OPA) Gatekeeper ni chombo kinachotumika kutekeleza sera za idhini katika Kubernetes. Sera hizi zinatambuliwa kwa kutumia Rego, lugha ya sera inayotolewa na OPA. Hapa chini kuna mfano wa msingi wa ufafanuzi wa sera ukitumia OPA Gatekeeper:

regoCopy codepackage k8srequiredlabels

violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[label]}
missing := required - provided
count(missing) > 0
msg := sprintf("Required labels missing: %v", [missing])
}

default allow = false

Hii sera ya Rego inachunguza ikiwa lebo fulani zipo kwenye rasilimali za Kubernetes. Ikiwa lebo zinazohitajika hazipo, inarudi ujumbe wa kukiuka. Sera hii inaweza kutumika kuhakikisha kuwa rasilimali zote zilizosanikishwa kwenye kikundi zina lebo maalum.

Tumia Kizuizi

Kutumia sera hii na OPA Gatekeeper, ungefafanua ConstraintTemplate na Constraint kwenye Kubernetes:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[label]}
missing := required - provided
count(missing) > 0
msg := sprintf("Required labels missing: %v", [missing])
}

default allow = false

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ensure-pod-has-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels:
requiredLabel1: "true"
requiredLabel2: "true"

Katika mfano huu wa YAML, tunatamka ConstraintTemplate kuhitaji lebo. Kisha, tunaiita kizuizi hiki hakikisha-pod-ina-lebo, ambayo inahusisha ConstraintTemplate ya k8srequiredlabels na kueleza lebo zinazohitajika.

Wakati Gatekeeper inapowekwa katika kikundi cha Kubernetes, itatekeleza sera hii, ikizuia uundaji wa podi ambazo hazina lebo zilizotajwa.

Marejeo

https://github.com/open-policy-agent/gatekeeper

PreviousKubernetes SecurityContext(s)NextKubernetes OPA Gatekeeper bypass

Last updated 5 months ago