Developer Quick Start

This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally 
Install Gatekeeper
1
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Copied!
References
​https://github.com/open-policy-agent/gatekeeper#installation​
Enable DEBUG
Change log level
Edit the deployment.
1
kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
Copied!
Add --log-level=DEBUG parameter:
1
...
2
    spec:
3
      containers:
4
      - args:
5
        - --auditInterval=30
6
        - --port=8443
7
        - --logtostderr
8
        - --log-level=DEBUG
9
...
Copied!
Enable tracing
Find out what is your API user name
Method 01
Get the certificate from your kubeconfig file.
If the certificate is already embedded, base64 decode the certificate-authority-data field.
1
cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
Copied!
And decode the certificate using a tool such as https://www.sslshopper.com/certificate-decoder.html​
The "Common Name" is your user name.
If the certificate is not embedded, it means it is in an external file, just copy the client-certificate file content and decode the certificate and the the "Common Name".
Method 02
Create a Gatekeep ConstraintTemplate just to debug what is your user name.
Create a violation function and return the input.review.userInfo, for example:
1
...
2
violation[{"msg": msg}] {
3
  input.review.kind.kind == "Service"
4
  msg := json.marshal(input.review.userInfo) 
5
}
Copied!
Change config
Edit the config.
1
kubectl -n gatekeeper-system edit config config
Copied!
Edit the validation section.
1
...
2
spec:
3
  sync:
4
    syncOnly:
5
    - kind: Namespace
6
      version: v1
7
    - kind: Pod
8
      version: v1
9
  validation:
10
    traces:
11
    - kind:
12
        kind: Service
13
        version: v1
14
      user: minikube-user
15
...
Copied!
Test
Create a template.
1
---
2
apiVersion: templates.gatekeeper.sh/v1beta1
3
kind: ConstraintTemplate
4
metadata:
5
  name: servicetypes
6
spec:
7
  crd:
8
    spec:
9
      names:
10
        kind: Servicetypes
11
        listKind: ServicetypesList
12
        plural: servicetypes
13
        singular: servicetypes
14
​
15
  targets:
16
    - target: admission.k8s.gatekeeper.sh
17
      rego: |
18
        package servicetypes
19
        
20
        violation[{"msg": msg}] {
21
          input.review.kind.kind == "Service"
22
          input.review.object.spec.type == "LoadBalancer"
23
          trace(json.marshal(input.review.userInfo))
24
          msg := "Service type LoadBalancer is denied"
25
        }
Copied!
Create a constraint.
1
---
2
apiVersion: constraints.gatekeeper.sh/v1beta1
3
kind: Servicetypes
4
metadata:
5
  name: service-type-lb-not-allowed
6
spec:
7
  match:
8
    kinds:
9
      - apiGroups: [""]
10
        kinds: ["Service"]
Copied!
Create a bad object.
1
kind: Service
2
apiVersion: v1
3
metadata:
4
  name: example-tmp
5
  namespace: default
6
spec:
7
  selector:
8
    app: example-tmp
9
  ports:
10
  - protocol: TCP
11
    port: 80
12
  type: LoadBalancer
Copied!
Watch gatekeeper-controller-manager pod logs.
Watch template status section:
1
kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml
Copied!
​

Gatekeeper (OPA) - Previous

Cheat Sheet

Next - GCP

Cheat Sheet

Last modified 2yr ago

Copy link

Contents