DevOps Buzz
Search…
⌃K

Developer Quick Start

This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally

Install Gatekeeper

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

References

Enable DEBUG

Change log level

Edit the deployment.
kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
Add --log-level=DEBUG parameter:
...
spec:
containers:
- args:
- --auditInterval=30
- --port=8443
- --logtostderr
- --log-level=DEBUG
...

Enable tracing

Find out what is your API user name

Method 01
Get the certificate from your kubeconfig file.
If the certificate is already embedded, base64 decode the certificate-authority-data field.
cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
And decode the certificate using a tool such as https://www.sslshopper.com/certificate-decoder.html
The "Common Name" is your user name.
If the certificate is not embedded, it means it is in an external file, just copy the client-certificate file content and decode the certificate and the the "Common Name".
Method 02
Create a Gatekeep ConstraintTemplate just to debug what is your user name.
Create a violation function and return the input.review.userInfo, for example:
...
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
msg := json.marshal(input.review.userInfo)
}

Change config

Edit the config.
kubectl -n gatekeeper-system edit config config
Edit the validation section.
...
spec:
sync:
syncOnly:
- kind: Namespace
version: v1
- kind: Pod
version: v1
validation:
traces:
- kind:
kind: Service
version: v1
user: minikube-user
...

Test

Create a template.
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: servicetypes
spec:
crd:
spec:
names:
kind: Servicetypes
listKind: ServicetypesList
plural: servicetypes
singular: servicetypes
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package servicetypes
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
input.review.object.spec.type == "LoadBalancer"
trace(json.marshal(input.review.userInfo))
msg := "Service type LoadBalancer is denied"
}
Create a constraint.
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
name: service-type-lb-not-allowed
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
Create a bad object.
kind: Service
apiVersion: v1
metadata:
name: example-tmp
namespace: default
spec:
selector:
app: example-tmp
ports:
- protocol: TCP
port: 80
type: LoadBalancer
Watch gatekeeper-controller-manager pod logs.
Watch template status section:
kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml