Developer Quick Start
This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Edit the deployment.
kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
Add
--log-level=DEBUG
parameter:...
spec:
containers:
- args:
- --auditInterval=30
- --port=8443
- --logtostderr
- --log-level=DEBUG
...
Method 01
Get the certificate from your kubeconfig file.
If the certificate is already embedded, base64 decode the
certificate-authority-data
field.cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
And decode the certificate using a tool such as https://www.sslshopper.com/certificate-decoder.html
The "Common Name" is your user name.
If the certificate is not embedded, it means it is in an external file, just copy the
client-certificate
file content and decode the certificate and the the "Common Name".Method 02
Create a Gatekeep
ConstraintTemplate
just to debug what is your user name.Create a violation function and return the
input.review.userInfo
, for example:...
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
msg := json.marshal(input.review.userInfo)
}
Edit the config.
kubectl -n gatekeeper-system edit config config
Edit the validation section.
...
spec:
sync:
syncOnly:
- kind: Namespace
version: v1
- kind: Pod
version: v1
validation:
traces:
- kind:
kind: Service
version: v1
user: minikube-user
...
Create a template.
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: servicetypes
spec:
crd:
spec:
names:
kind: Servicetypes
listKind: ServicetypesList
plural: servicetypes
singular: servicetypes
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package servicetypes
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
input.review.object.spec.type == "LoadBalancer"
trace(json.marshal(input.review.userInfo))
msg := "Service type LoadBalancer is denied"
}
Create a constraint.
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
name: service-type-lb-not-allowed
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
Create a bad object.
kind: Service
apiVersion: v1
metadata:
name: example-tmp
namespace: default
spec:
selector:
app: example-tmp
ports:
- protocol: TCP
port: 80
type: LoadBalancer
Watch
gatekeeper-controller-manager
pod logs.Watch template status section:
kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml
Last modified 3yr ago