英文:
OPA Gatekeeper Policy to block priviliged Pods
问题
自两天前起,我一直在尝试创建一个简单的 OPA Gatekeeper 策略,用于阻止在某些命名空间中创建具有 "privileged:true" 属性的 pod。
一些更多的细节:
我使用的是版本为 3.13 的 opa-gatekeeper,按照 [这些说明](https://open-policy-agent.github.io/gatekeeper/website/docs/install) 进行安装。
为了启用该策略,首先我创建了一个 ConstraintTemplate:
```yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: disallowprivilegedpods
annotations:
description: "Disallow creation of privileged pods in alpha and beta namespaces"
spec:
crd:
spec:
names:
kind: DisallowPrivilegedPods
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package disallow_privileged_pods
violation[{"msg": msg}] {
input.request.kind.kind == "Pod"
input.request.operation == "CREATE"
input.request.namespace == ["alpha", "beta"]
input.request.object.spec.securityContext.privileged == true
msg := "Privileged pods are not allowed in the Alpha and Beta namespaces."
}
接下来,我创建了约束条件:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowPrivilegedPods
metadata:
name: disallow-privileged-pods-alpha-beta
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- alpha
- beta
为了测试策略是否正确工作,我尝试在其中一个命名空间部署此 pod:
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
namespace: alpha
spec:
containers:
- name: my-container
image: nginx
securityContext:
privileged: true
restartPolicy: Never
遗憾的是,该策略似乎不起作用,该 pod 可以被创建。
有人能给我一些提示,策略出了什么问题吗?
致敬,
Christian
<details>
<summary>英文:</summary>
Since 2 days I try to create a simple OPA Gatekeeper Policy which blocks the creation of pods with "privileged:true" for some namespaces.
Some more details:
Im using opa-gatekeeper in version 3.13 installed by following [these instructions](https://open-policy-agent.github.io/gatekeeper/website/docs/install).
To enable the policy, first I created a ConstraintTemplate:
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: disallowprivilegedpods
annotations:
description: "Disallow creation of privileged pods in alpha and beta namespaces"
spec:
crd:
spec:
names:
kind: DisallowPrivilegedPods
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package disallow_privileged_pods
violation[{"msg": msg}] {
input.request.kind.kind == "Pod"
input.request.operation == "CREATE"
input.request.namespace == ["alpha", "beta"]
input.request.object.spec.securityContext.privileged == true
msg := "Privileged pods are not allowed in the Alpha and Beta namespaces."
}
Next I created the constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowPrivilegedPods
metadata:
name: disallow-privileged-pods-alpha-beta
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- alpha
- beta
To test if the policy is working correctly, I tried to deploy this pod in one of these namespaces:
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
namespace: alpha
spec:
containers:
- name: my-container
image: nginx
securityContext:
privileged: true
restartPolicy: Never
Unfortunately the policy doesnt seem to work and the pod can be created.
Can anyone give me some hints, whats wrong with the policy?
Cheers,
Christian
</details>
# 答案1
**得分**: 1
This check - `input.request.namespace == ["alpha", "beta"]` 将仅在 `input.request.namespace` 字段与要比较的数组完全相同时评估为 true。即 - 仅当 `input.request.namespace` 是一个包含两个值的数组时,第一个值为 "alpha",第二个值为 "beta" 时,才会为 true。
要检查数组输入字段是否包含两个值中的一个,请使用 [增量规则](https://www.eknert.com/tech/2020/02/04/incremental-rules-in-opa.html) 和 [数组查找](https://www.openpolicyagent.org/docs/latest/policy-reference/#arrays):
```rego
namespace_alpha_or_beta {
"alpha" = input.request.namespace[_]
}
namespace_alpha_or_beta {
"beta" = input.request.namespace[_]
}
英文:
This check - input.request.namespace == ["alpha", "beta"]
will evaluate to true only if the input.request.namespace
field is exactly identical to the array it is being compared to. i.e. - Only if input.request.namespace
is an array with exactly two values, the first one being "alpha" and the second one "beta"
To check if an array input field holds one of two values, use incremental rules and array lookups:
namespace_alpha_or_beta {
"alpha" = input.request.namespace[_]
}
namespace_alpha_or_beta {
"beta" = input.request.namespace[_]
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论