OPA Gatekeeper策略以阻止特权Pods。

huangapple go评论62阅读模式
英文:

OPA Gatekeeper Policy to block priviliged Pods

问题

自两天前起,我一直在尝试创建一个简单的 OPA Gatekeeper 策略,用于阻止在某些命名空间中创建具有 "privileged:true" 属性的 pod。

一些更多的细节:

我使用的是版本为 3.13 的 opa-gatekeeper,按照 [这些说明](https://open-policy-agent.github.io/gatekeeper/website/docs/install) 进行安装。

为了启用该策略,首先我创建了一个 ConstraintTemplate:

```yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: disallowprivilegedpods
  annotations:
    description: "Disallow creation of privileged pods in alpha and beta namespaces"
spec:
  crd:
    spec:
      names:
        kind: DisallowPrivilegedPods
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package disallow_privileged_pods

        violation[{"msg": msg}] {
          input.request.kind.kind == "Pod"
          input.request.operation == "CREATE"
          input.request.namespace == ["alpha", "beta"]
          input.request.object.spec.securityContext.privileged == true
          msg := "Privileged pods are not allowed in the Alpha and Beta namespaces."
        }

接下来,我创建了约束条件:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowPrivilegedPods
metadata:
  name: disallow-privileged-pods-alpha-beta
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - alpha
      - beta

为了测试策略是否正确工作,我尝试在其中一个命名空间部署此 pod:

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
  namespace: alpha
spec:
  containers:
    - name: my-container
      image: nginx
      securityContext:
        privileged: true
  restartPolicy: Never

遗憾的是,该策略似乎不起作用,该 pod 可以被创建。

有人能给我一些提示,策略出了什么问题吗?

致敬,

Christian


<details>
<summary>英文:</summary>

Since 2 days I try to create a simple OPA Gatekeeper Policy which blocks the creation of pods with &quot;privileged:true&quot; for some namespaces.

Some more details:

Im using opa-gatekeeper in version 3.13 installed by following [these instructions](https://open-policy-agent.github.io/gatekeeper/website/docs/install).

To enable the policy, first I created a ConstraintTemplate:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: disallowprivilegedpods
annotations:
description: "Disallow creation of privileged pods in alpha and beta namespaces"
spec:
crd:
spec:
names:
kind: DisallowPrivilegedPods
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package disallow_privileged_pods

    violation[{&quot;msg&quot;: msg}] {
      input.request.kind.kind == &quot;Pod&quot;
      input.request.operation == &quot;CREATE&quot;
      input.request.namespace == [&quot;alpha&quot;, &quot;beta&quot;]
      input.request.object.spec.securityContext.privileged == true
      msg := &quot;Privileged pods are not allowed in the Alpha and Beta namespaces.&quot;
    }

Next I created the constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowPrivilegedPods
metadata:
name: disallow-privileged-pods-alpha-beta
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- alpha
- beta


To test if the policy is working correctly, I tried to deploy this pod in one of these namespaces:

apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
namespace: alpha
spec:
containers:
- name: my-container
image: nginx
securityContext:
privileged: true
restartPolicy: Never


Unfortunately the policy doesnt seem to work and the pod can be created.

Can anyone give me some hints, whats wrong with the policy?

Cheers,

Christian

</details>


# 答案1
**得分**: 1

This check - `input.request.namespace == ["alpha", "beta"]` 将仅在 `input.request.namespace` 字段与要比较的数组完全相同时评估为 true。即 - 仅当 `input.request.namespace` 是一个包含两个值的数组时,第一个值为 "alpha",第二个值为 "beta" 时,才会为 true。

要检查数组输入字段是否包含两个值中的一个,请使用 [增量规则](https://www.eknert.com/tech/2020/02/04/incremental-rules-in-opa.html) 和 [数组查找](https://www.openpolicyagent.org/docs/latest/policy-reference/#arrays):

```rego
namespace_alpha_or_beta {
    "alpha" = input.request.namespace[_]
}

namespace_alpha_or_beta {
    "beta" = input.request.namespace[_]
}
英文:

This check - input.request.namespace == [&quot;alpha&quot;, &quot;beta&quot;] will evaluate to true only if the input.request.namespace field is exactly identical to the array it is being compared to. i.e. - Only if input.request.namespace is an array with exactly two values, the first one being "alpha" and the second one "beta"

To check if an array input field holds one of two values, use incremental rules and array lookups:

namespace_alpha_or_beta {
	&quot;alpha&quot; = input.request.namespace[_]
}

namespace_alpha_or_beta {
	&quot;beta&quot; = input.request.namespace[_]
}

huangapple
  • 本文由 发表于 2023年5月18日 04:02:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76275823.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定