OPA GK - HackMD

# OPA GK ###### tags: `CKS Day2` 安装OPA Gatekeeper ``` kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.3/deploy/gatekeeper.yaml ``` <br> <br> 定义一个CRD, 属于ConstraintTemplate, 名字叫k8srequiredlabels ``` apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels annotations: description: Requires all resources to contain a specified label with a value matching a provided regular expression. spec: crd: spec: names: kind: K8sRequiredLabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: message: type: string labels: type: array items: type: object properties: key: type: string allowedRegex: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels get_message(parameters, _default) = msg { not parameters.message msg := _default } get_message(parameters, _default) = msg { msg := parameters.message } violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_].key} missing := required - provided count(missing) > 0 def_msg := sprintf("you must provide labels: %v", [missing]) msg := get_message(input.parameters, def_msg) } violation[{"msg": msg}] { value := input.review.object.metadata.labels[key] expected := input.parameters.labels[_] expected.key == key # do not match if allowedRegex is not defined, or is an empty string expected.allowedRegex != "" not re_match(expected.allowedRegex, value) def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) msg := get_message(input.parameters, def_msg) } ``` 创建一个constraints, 名字all-must-have-owner, 归属于K8sRequiredLabels的templete. ``` apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: message: "All namespaces must have an `owner` label that points to your company username" labels: - key: owner allowedRegex: "^[a-zA-Z]+.agilebank.demo$" ``` 自定义ConstraintTemplate ``` apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: requiredlabelscks annotations: description: Requires all resources to contain a specified label with a value matching a provided regular expression. spec: crd: spec: names: kind: requiredlabelscks targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg}] { not input.review.object.metadata.labels.cks msg := "You must tag the ns label cks: <input>" } ``` 自定义constraints,归属requiredlabelscks ``` apiVersion: constraints.gatekeeper.sh/v1beta1 kind: requiredlabelscks metadata: name: ns-must-have-label-cks spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] ```