This section is designed to be tested on a SAFE ENVIRONMENT such as minikube running locally
Install Gatekeeper
Copy kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
References
https://github.com/open-policy-agent/gatekeeper#installation
Enable DEBUG
Change log level
Edit the deployment.
Copy kubectl -n gatekeeper-system edit deployments gatekeeper-controller-manager
Add --log-level=DEBUG
parameter:
Copy ...
spec:
containers:
- args:
- --auditInterval=30
- --port=8443
- --logtostderr
- --log-level=DEBUG
...
Enable tracing
Find out what is your API user name
Method 01
Get the certificate from your kubeconfig file.
If the certificate is already embedded, base64 decode the certificate-authority-data
field.
Copy cat ~/.kube/config | yq r - clusters.0.cluster.certificate-authority-data | base64 -d
And decode the certificate using a tool such as https://www.sslshopper.com/certificate-decoder.html
The "Common Name" is your user name.
If the certificate is not embedded, it means it is in an external file, just copy the client-certificate
file content and decode the certificate and the the "Common Name".
Method 02
Create a Gatekeep ConstraintTemplate
just to debug what is your user name.
Create a violation function and return the input.review.userInfo
, for example:
Copy ...
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
msg := json.marshal(input.review.userInfo)
}
Change config
Edit the config.
Copy kubectl -n gatekeeper-system edit config config
Edit the validation section.
Copy ...
spec:
sync:
syncOnly:
- kind: Namespace
version: v1
- kind: Pod
version: v1
validation:
traces:
- kind:
kind: Service
version: v1
user: minikube-user
...
Test
Create a template.
Copy ---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: servicetypes
spec:
crd:
spec:
names:
kind: Servicetypes
listKind: ServicetypesList
plural: servicetypes
singular: servicetypes
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package servicetypes
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
input.review.object.spec.type == "LoadBalancer"
trace(json.marshal(input.review.userInfo))
msg := "Service type LoadBalancer is denied"
}
Create a constraint.
Copy ---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: Servicetypes
metadata:
name: service-type-lb-not-allowed
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
Create a bad object.
Copy kind: Service
apiVersion: v1
metadata:
name: example-tmp
namespace: default
spec:
selector:
app: example-tmp
ports:
- protocol: TCP
port: 80
type: LoadBalancer
Watch gatekeeper-controller-manager
pod logs.
Watch template status section:
Copy kubectl get constrainttemplates.templates.gatekeeper.sh servicetypes -o yaml