DevOps Buzz
Search…
Bash / Shell
Bitbucket
Distros
Elasticsearch
General
Guidelines / Standards
microk8s
Prometheus
RabbitMQ
VirtualBox
Developer Quick Start
This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally

Install Gatekeeper

1
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Copied!

References

Enable DEBUG

Change log level

Edit the deployment.
1
kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
Copied!
Add --log-level=DEBUG parameter:
1
...
2
spec:
3
containers:
4
- args:
5
- --auditInterval=30
6
- --port=8443
7
- --logtostderr
8
- --log-level=DEBUG
9
...
Copied!

Enable tracing

Find out what is your API user name

Method 01
Get the certificate from your kubeconfig file.
If the certificate is already embedded, base64 decode the certificate-authority-data field.
1
cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
Copied!
And decode the certificate using a tool such as https://www.sslshopper.com/certificate-decoder.html
The "Common Name" is your user name.
If the certificate is not embedded, it means it is in an external file, just copy the client-certificate file content and decode the certificate and the the "Common Name".
Method 02
Create a Gatekeep ConstraintTemplate just to debug what is your user name.
Create a violation function and return the input.review.userInfo, for example:
1
...
2
violation[{"msg": msg}] {
3
input.review.kind.kind == "Service"
4
msg := json.marshal(input.review.userInfo)
5
}
Copied!

Change config

Edit the config.
1
kubectl -n gatekeeper-system edit config config
Copied!
Edit the validation section.
1
...
2
spec:
3
sync:
4
syncOnly:
5
- kind: Namespace
6
version: v1
7
- kind: Pod
8
version: v1
9
validation:
10
traces:
11
- kind:
12
kind: Service
13
version: v1
14
user: minikube-user
15
...
Copied!

Test

Create a template.
1
---
2
apiVersion: templates.gatekeeper.sh/v1beta1
3
kind: ConstraintTemplate
4
metadata:
5
name: servicetypes
6
spec:
7
crd:
8
spec:
9
names:
10
kind: Servicetypes
11
listKind: ServicetypesList
12
plural: servicetypes
13
singular: servicetypes
14
15
targets:
16
- target: admission.k8s.gatekeeper.sh
17
rego: |
18
package servicetypes
19
20
violation[{"msg": msg}] {
21
input.review.kind.kind == "Service"
22
input.review.object.spec.type == "LoadBalancer"
23
trace(json.marshal(input.review.userInfo))
24
msg := "Service type LoadBalancer is denied"
25
}
Copied!
Create a constraint.
1
---
2
apiVersion: constraints.gatekeeper.sh/v1beta1
3
kind: Servicetypes
4
metadata:
5
name: service-type-lb-not-allowed
6
spec:
7
match:
8
kinds:
9
- apiGroups: [""]
10
kinds: ["Service"]
Copied!
Create a bad object.
1
kind: Service
2
apiVersion: v1
3
metadata:
4
name: example-tmp
5
namespace: default
6
spec:
7
selector:
8
app: example-tmp
9
ports:
10
- protocol: TCP
11
port: 80
12
type: LoadBalancer
Copied!
Watch gatekeeper-controller-manager pod logs.
Watch template status section:
1
kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml
Copied!