# Developer Quick Start

{% hint style="warning" %}
This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally&#x20;
{% endhint %}

## Install Gatekeeper

```
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
```

### References

<https://github.com/open-policy-agent/gatekeeper#installation>

### Enable DEBUG

### Change log level

Edit the deployment.

```
kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
```

Add `--log-level=DEBUG` parameter:

```
...
    spec:
      containers:
      - args:
        - --auditInterval=30
        - --port=8443
        - --logtostderr
        - --log-level=DEBUG
...
```

### Enable tracing

#### Find out what is your API user name

**Method 01**

Get the certificate from your kubeconfig file.

If the certificate is already embedded, base64 decode the `certificate-authority-data` field.

```
cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
```

And decode the certificate using a tool such as <https://www.sslshopper.com/certificate-decoder.html>

The "Common Name" is your user name.

If the certificate is not embedded, it means it is in an external file, just copy the `client-certificate` file content and decode the certificate and the the "Common Name".

**Method 02**

Create a Gatekeep `ConstraintTemplate` just to debug what is your user name.

Create a violation function and return the `input.review.userInfo`, for example:

```
...
violation[{"msg": msg}] {
  input.review.kind.kind == "Service"
  msg := json.marshal(input.review.userInfo) 
}
```

#### Change config

Edit the config.

```
kubectl -n gatekeeper-system edit config config
```

Edit the validation section.

```
...
spec:
  sync:
    syncOnly:
    - kind: Namespace
      version: v1
    - kind: Pod
      version: v1
  validation:
    traces:
    - kind:
        kind: Service
        version: v1
      user: minikube-user
...
```

## Test

Create a template.

```
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: servicetypes
spec:
  crd:
    spec:
      names:
        kind: Servicetypes
        listKind: ServicetypesList
        plural: servicetypes
        singular: servicetypes

  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package servicetypes
        
        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.object.spec.type == "LoadBalancer"
          trace(json.marshal(input.review.userInfo))
          msg := "Service type LoadBalancer is denied"
        }
```

Create a constraint.

```
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
  name: service-type-lb-not-allowed
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
```

Create a bad object.

```
kind: Service
apiVersion: v1
metadata:
  name: example-tmp
  namespace: default
spec:
  selector:
    app: example-tmp
  ports:
  - protocol: TCP
    port: 80
  type: LoadBalancer
```

Watch `gatekeeper-controller-manager` pod logs.

Watch template status section:

```
kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml
```