Developer Quick Start

Last updated 5 years ago

Developer Quick Start

This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally

Install Gatekeeper

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

References

Enable DEBUG

Change log level

Edit the deployment.

kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager

Add --log-level=DEBUG parameter:

...
    spec:
      containers:
      - args:
        - --auditInterval=30
        - --port=8443
        - --logtostderr
        - --log-level=DEBUG
...

Enable tracing

Find out what is your API user name

Method 01

Get the certificate from your kubeconfig file.

If the certificate is already embedded, base64 decode the certificate-authority-data field.

cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d

The "Common Name" is your user name.

If the certificate is not embedded, it means it is in an external file, just copy the client-certificate file content and decode the certificate and the the "Common Name".

Method 02

Create a Gatekeep ConstraintTemplate just to debug what is your user name.

Create a violation function and return the input.review.userInfo, for example:

...
violation[{"msg": msg}] {
  input.review.kind.kind == "Service"
  msg := json.marshal(input.review.userInfo) 
}

Change config

Edit the config.

kubectl -n gatekeeper-system edit config config

Edit the validation section.

...
spec:
  sync:
    syncOnly:
    - kind: Namespace
      version: v1
    - kind: Pod
      version: v1
  validation:
    traces:
    - kind:
        kind: Service
        version: v1
      user: minikube-user
...

Test

Create a template.

---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: servicetypes
spec:
  crd:
    spec:
      names:
        kind: Servicetypes
        listKind: ServicetypesList
        plural: servicetypes
        singular: servicetypes

  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package servicetypes
        
        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.object.spec.type == "LoadBalancer"
          trace(json.marshal(input.review.userInfo))
          msg := "Service type LoadBalancer is denied"
        }

Create a constraint.

---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
  name: service-type-lb-not-allowed
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]

Create a bad object.

kind: Service
apiVersion: v1
metadata:
  name: example-tmp
  namespace: default
spec:
  selector:
    app: example-tmp
  ports:
  - protocol: TCP
    port: 80
  type: LoadBalancer

Watch gatekeeper-controller-manager pod logs.

Watch template status section:

kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml

PreviousCheat Sheet NextCheat Sheet

Last updated 5 years ago

This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally

Install Gatekeeper

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

References

Enable DEBUG

Change log level

Edit the deployment.

kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager

Add --log-level=DEBUG parameter:

...
    spec:
      containers:
      - args:
        - --auditInterval=30
        - --port=8443
        - --logtostderr
        - --log-level=DEBUG
...

Enable tracing

Find out what is your API user name

Method 01

Get the certificate from your kubeconfig file.

If the certificate is already embedded, base64 decode the certificate-authority-data field.

cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d

And decode the certificate using a tool such as

The "Common Name" is your user name.

If the certificate is not embedded, it means it is in an external file, just copy the client-certificate file content and decode the certificate and the the "Common Name".

Method 02

Create a Gatekeep ConstraintTemplate just to debug what is your user name.

Create a violation function and return the input.review.userInfo, for example:

...
violation[{"msg": msg}] {
  input.review.kind.kind == "Service"
  msg := json.marshal(input.review.userInfo) 
}

Change config

Edit the config.

kubectl -n gatekeeper-system edit config config

Edit the validation section.

...
spec:
  sync:
    syncOnly:
    - kind: Namespace
      version: v1
    - kind: Pod
      version: v1
  validation:
    traces:
    - kind:
        kind: Service
        version: v1
      user: minikube-user
...

Test

Create a template.

---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: servicetypes
spec:
  crd:
    spec:
      names:
        kind: Servicetypes
        listKind: ServicetypesList
        plural: servicetypes
        singular: servicetypes

  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package servicetypes
        
        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.object.spec.type == "LoadBalancer"
          trace(json.marshal(input.review.userInfo))
          msg := "Service type LoadBalancer is denied"
        }

Create a constraint.

---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
  name: service-type-lb-not-allowed
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]

Create a bad object.

kind: Service
apiVersion: v1
metadata:
  name: example-tmp
  namespace: default
spec:
  selector:
    app: example-tmp
  ports:
  - protocol: TCP
    port: 80
  type: LoadBalancer

Watch gatekeeper-controller-manager pod logs.

Watch template status section:

kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml