问题

自两天前起，我一直在尝试创建一个简单的 OPA Gatekeeper 策略，用于阻止在某些命名空间中创建具有 "privileged:true" 属性的 pod。

一些更多的细节：

我使用的是版本为 3.13 的 opa-gatekeeper，按照 [这些说明](https://open-policy-agent.github.io/gatekeeper/website/docs/install) 进行安装。

为了启用该策略，首先我创建了一个 ConstraintTemplate：

```yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: disallowprivilegedpods
  annotations:
    description: "Disallow creation of privileged pods in alpha and beta namespaces"
spec:
  crd:
    spec:
      names:
        kind: DisallowPrivilegedPods
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package disallow_privileged_pods

        violation[{"msg": msg}] {
          input.request.kind.kind == "Pod"
          input.request.operation == "CREATE"
          input.request.namespace == ["alpha", "beta"]
          input.request.object.spec.securityContext.privileged == true
          msg := "Privileged pods are not allowed in the Alpha and Beta namespaces."
        }

接下来，我创建了约束条件：

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowPrivilegedPods
metadata:
  name: disallow-privileged-pods-alpha-beta
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - alpha
      - beta

为了测试策略是否正确工作，我尝试在其中一个命名空间部署此 pod：

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
  namespace: alpha
spec:
  containers:
    - name: my-container
      image: nginx
      securityContext:
        privileged: true
  restartPolicy: Never

遗憾的是，该策略似乎不起作用，该 pod 可以被创建。

有人能给我一些提示，策略出了什么问题吗？

致敬，

Christian

<details>
<summary>英文:</summary>

Since 2 days I try to create a simple OPA Gatekeeper Policy which blocks the creation of pods with &quot;privileged:true&quot; for some namespaces.

Some more details:

Im using opa-gatekeeper in version 3.13 installed by following [these instructions](https://open-policy-agent.github.io/gatekeeper/website/docs/install).

To enable the policy, first I created a ConstraintTemplate:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: disallowprivilegedpods
annotations:
description: "Disallow creation of privileged pods in alpha and beta namespaces"
spec:
crd:
spec:
names:
kind: DisallowPrivilegedPods
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package disallow_privileged_pods

    violation[{"msg": msg}] {
      input.request.kind.kind == "Pod"
      input.request.operation == "CREATE"
      input.request.namespace == ["alpha", "beta"]
      input.request.object.spec.securityContext.privileged == true
      msg := "Privileged pods are not allowed in the Alpha and Beta namespaces."
    }

Next I created the constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowPrivilegedPods
metadata:
name: disallow-privileged-pods-alpha-beta
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- alpha
- beta

To test if the policy is working correctly, I tried to deploy this pod in one of these namespaces:

apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
namespace: alpha
spec:
containers:
- name: my-container
image: nginx
securityContext:
privileged: true
restartPolicy: Never

Unfortunately the policy doesnt seem to work and the pod can be created.

Can anyone give me some hints, whats wrong with the policy?

Cheers,

Christian

</details>


# 答案1
**得分**: 1

This check - `input.request.namespace == ["alpha", "beta"]` 将仅在 `input.request.namespace` 字段与要比较的数组完全相同时评估为 true。即 - 仅当 `input.request.namespace` 是一个包含两个值的数组时，第一个值为 "alpha"，第二个值为 "beta" 时，才会为 true。

要检查数组输入字段是否包含两个值中的一个，请使用 [增量规则](https://www.eknert.com/tech/2020/02/04/incremental-rules-in-opa.html) 和 [数组查找](https://www.openpolicyagent.org/docs/latest/policy-reference/#arrays)：

```rego
namespace_alpha_or_beta {
    "alpha" = input.request.namespace[_]
}

namespace_alpha_or_beta {
    "beta" = input.request.namespace[_]
}

namespace_alpha_or_beta {
	"alpha" = input.request.namespace[_]
}

namespace_alpha_or_beta {
	"beta" = input.request.namespace[_]
}