Developer Quick Start

This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally 
Install Gatekeeper
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
References
​https://github.com/open-policy-agent/gatekeeper#installation​
Enable DEBUG
Change log level
Edit the deployment.
kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
Add --log-level=DEBUG parameter:
...
    spec:
      containers:
      - args:
        - --auditInterval=30
        - --port=8443
        - --logtostderr
        - --log-level=DEBUG
...
Enable tracing
Find out what is your API user name
Method 01
Get the certificate from your kubeconfig file.
If the certificate is already embedded, base64 decode the certificate-authority-data field.
cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
And decode the certificate using a tool such as https://www.sslshopper.com/certificate-decoder.html​
The "Common Name" is your user name.
If the certificate is not embedded, it means it is in an external file, just copy the client-certificate file content and decode the certificate and the the "Common Name".
Method 02
Create a Gatekeep ConstraintTemplate just to debug what is your user name.
Create a violation function and return the input.review.userInfo, for example:
...
violation[{"msg": msg}] {
  input.review.kind.kind == "Service"
  msg := json.marshal(input.review.userInfo) 
}
Change config
Edit the config.
kubectl -n gatekeeper-system edit config config
Edit the validation section.
...
spec:
  sync:
    syncOnly:
    - kind: Namespace
      version: v1
    - kind: Pod
      version: v1
  validation:
    traces:
    - kind:
        kind: Service
        version: v1
      user: minikube-user
...
Test
Create a template.
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: servicetypes
spec:
  crd:
    spec:
      names:
        kind: Servicetypes
        listKind: ServicetypesList
        plural: servicetypes
        singular: servicetypes
​
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package servicetypes
        
        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.object.spec.type == "LoadBalancer"
          trace(json.marshal(input.review.userInfo))
          msg := "Service type LoadBalancer is denied"
        }
Create a constraint.
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
  name: service-type-lb-not-allowed
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
Create a bad object.
kind: Service
apiVersion: v1
metadata:
  name: example-tmp
  namespace: default
spec:
  selector:
    app: example-tmp
  ports:
  - protocol: TCP
    port: 80
  type: LoadBalancer
Watch gatekeeper-controller-manager pod logs.
Watch template status section:
kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml
​

Gatekeeper (OPA) - Previous

Cheat Sheet

Next - GCP

Cheat Sheet

Last modified 2yr ago

Copy link

Outline

Install Gatekeeper

References

Enable DEBUG

Change log level

Enable tracing

Test