因此,我在AWS中使用Helm Chart在kubernetes中安装了一个OPA网关守护程序。我尝试了v3.9.0和v3.12.0 Helm Chart用于网关守护程序。一旦我应用了仅允许私有注册表映像的约束模板和约束。然而,当我尝试应用一些随机映像时,仍然会创建它的pod,而不是给我一个错误。
这是我的constraints-template.yaml
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = contains(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = contains(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}字符串
这是我的约束。yaml
kind: K8sAllowedRepos
metadata:
name: allow-only-private-registry
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
repos:
- "private.example.com"型
使用以下文件测试OPA
apiVersion: v1
kind: Pod
metadata:
name: swiss-army-knife-disallowed
spec:
containers:
- name: swiss-army-knife
image: rancherlabs/swiss-army-knife:latest
resources:
limits:
cpu: "100m"
memory: "30Mi"型
在运行以下命令后
kubectl apply -f disallowed.yaml型
它只是给我创建的消息,我希望它应该给我一个错误。
1条答案
按热度按时间0pizxfdo1#
这里必须在约束文件中定义执行动作,在网守中我们有三种类型的动作[“info”,“warn”,“deny”],现在您可以根据您的要求指定
示例:-
apiVersion:constraints.gatekeeper.sh/v1beta1 kind:K8sAllowedRepos元数据:用户名:allowed-repositories spec:执法行动:警告匹配:种类:- apiGroups:[""] kinds:[“Pod”]参数:回购:- --