# Developer Quick Start {% hint style="warning" %} This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally {% endhint %} ## Install Gatekeeper ``` kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml ``` ### References ### Enable DEBUG ### Change log level Edit the deployment. ``` kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager ``` Add `--log-level=DEBUG` parameter: ``` ... spec: containers: - args: - --auditInterval=30 - --port=8443 - --logtostderr - --log-level=DEBUG ... ``` ### Enable tracing #### Find out what is your API user name **Method 01** Get the certificate from your kubeconfig file. If the certificate is already embedded, base64 decode the `certificate-authority-data` field. ``` cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d ``` And decode the certificate using a tool such as The "Common Name" is your user name. If the certificate is not embedded, it means it is in an external file, just copy the `client-certificate` file content and decode the certificate and the the "Common Name". **Method 02** Create a Gatekeep `ConstraintTemplate` just to debug what is your user name. Create a violation function and return the `input.review.userInfo`, for example: ``` ... violation[{"msg": msg}] { input.review.kind.kind == "Service" msg := json.marshal(input.review.userInfo) } ``` #### Change config Edit the config. ``` kubectl -n gatekeeper-system edit config config ``` Edit the validation section. ``` ... spec: sync: syncOnly: - kind: Namespace version: v1 - kind: Pod version: v1 validation: traces: - kind: kind: Service version: v1 user: minikube-user ... ``` ## Test Create a template. ``` --- apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: servicetypes spec: crd: spec: names: kind: Servicetypes listKind: ServicetypesList plural: servicetypes singular: servicetypes targets: - target: admission.k8s.gatekeeper.sh rego: | package servicetypes violation[{"msg": msg}] { input.review.kind.kind == "Service" input.review.object.spec.type == "LoadBalancer" trace(json.marshal(input.review.userInfo)) msg := "Service type LoadBalancer is denied" } ``` Create a constraint. ``` --- apiVersion: constraints.gatekeeper.sh/v1beta1 kind: Servicetypes metadata: name: service-type-lb-not-allowed spec: match: kinds: - apiGroups: [""] kinds: ["Service"] ``` Create a bad object. ``` kind: Service apiVersion: v1 metadata: name: example-tmp namespace: default spec: selector: app: example-tmp ports: - protocol: TCP port: 80 type: LoadBalancer ``` Watch `gatekeeper-controller-manager` pod logs. Watch template status section: ``` kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.devops.buzz/public/gatekeeper-opa/developer-quick-start.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.