DevOps Buzz
Search…
Bash / Shell
Bitbucket
Distros
Elasticsearch
General
Guidelines / Standards
microk8s
Prometheus
RabbitMQ
VirtualBox
Developer Quick Start
This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally

Install Gatekeeper

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

References

Enable DEBUG

Change log level

Edit the deployment.
kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
Add --log-level=DEBUG parameter:
...
spec:
containers:
- args:
- --auditInterval=30
- --port=8443
- --logtostderr
- --log-level=DEBUG
...

Enable tracing

Find out what is your API user name

Method 01
Get the certificate from your kubeconfig file.
If the certificate is already embedded, base64 decode the certificate-authority-data field.
cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
And decode the certificate using a tool such as https://www.sslshopper.com/certificate-decoder.html
The "Common Name" is your user name.
If the certificate is not embedded, it means it is in an external file, just copy the client-certificate file content and decode the certificate and the the "Common Name".
Method 02
Create a Gatekeep ConstraintTemplate just to debug what is your user name.
Create a violation function and return the input.review.userInfo, for example:
...
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
msg := json.marshal(input.review.userInfo)
}

Change config

Edit the config.
kubectl -n gatekeeper-system edit config config
Edit the validation section.
...
spec:
sync:
syncOnly:
- kind: Namespace
version: v1
- kind: Pod
version: v1
validation:
traces:
- kind:
kind: Service
version: v1
user: minikube-user
...

Test

Create a template.
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: servicetypes
spec:
crd:
spec:
names:
kind: Servicetypes
listKind: ServicetypesList
plural: servicetypes
singular: servicetypes
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package servicetypes
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
input.review.object.spec.type == "LoadBalancer"
trace(json.marshal(input.review.userInfo))
msg := "Service type LoadBalancer is denied"
}
Create a constraint.
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
name: service-type-lb-not-allowed
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
Create a bad object.
kind: Service
apiVersion: v1
metadata:
name: example-tmp
namespace: default
spec:
selector:
app: example-tmp
ports:
- protocol: TCP
port: 80
type: LoadBalancer
Watch gatekeeper-controller-manager pod logs.
Watch template status section:
kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml
Copy link
Outline
Install Gatekeeper
References
Enable DEBUG
Change log level
Enable tracing
Test