英文:
Checkov - creating a basic custom policy to ensure that an annotation is set on a Kubernetes Deployment
问题
我一直在查看Checkov,看它是否能够标记出任何缺少kubectl.kubernetes.io/default-container
注释的Kubernetes部署。
我似乎无法使其工作。这似乎是Checkov的一个非常简单的用例。
我目前有以下策略文档:
---
metadata:
id: "CKV2_KCDC_1"
name: "Ensure all Deployments have default-container annotation"
category: "KUBERNETES"
definition:
and:
- cond_type: filter
value:
- Deployment
operator: within
attribute: kind
- cond_type: attribute
resource_types:
- Deployment
attribute: "metadata.annotations.kubectl.kubernetes.io/default-container"
operator: exists
我的理解是“过滤出部署,并确保每个部署都有这个注释”。
当我运行这个时,我得到了很多失败,但当我将注释添加到失败的清单中时,这些失败没有解决。
英文:
I've been looking at checkov to see if it can flag up if any Kubernetes Deployments which are missing the annotation kubectl.kubernetes.io/default-container
.
I cannot seem to get this to work. It seems like a very simple use case for checkov.
I've currently got the following policy document:
---
metadata:
id: "CKV2_KCDC_1"
name: "Ensure all Deployments have default-container annotation"
category: "KUBERNETES"
definition:
and:
- cond_type: filter
value:
- Deployment
operator: within
attribute: kind
- cond_type: attribute
resource_types:
- Deployment
attribute: "metadata.annotations.kubectl.kubernetes.io/default-container"
operator: exists
My interpretation of this is "Filter for Deployments, and ensure that each one has the annotation"
When I run this, I get a lot of failures, but when I add the annotation to the failing manifests those failures are not resolved.
答案1
得分: 0
我最终选择了Datree来完成这个任务。我的组织已经在使用它,我发现使用自定义规则编写策略非常容易,适用于我的情况。策略大致如下:
apiVersion: v1
policies:
- name: Custom
isDefault: true
rules:
- identifier: ENSURE_DEFAULT_CONTAINER_ANNOTATION_IS_SET
messageOnFailure: 每个工作负载必须设置kubectl.kubernetes.io/default-container注释,以便多容器工作负载在kubctl exec和kubectl log命令中具有合理的默认值。
customRules:
- identifier: ENSURE_DEFAULT_CONTAINER_ANNOTATION_IS_SET
name: 确保工作负载设置了默认容器注释
defaultMessageOnFailure: 每个工作负载必须设置kubectl.kubernetes.io/default-container注释,以便多容器工作负载在kubctl exec和kubectl log命令中具有合理的默认值。
schema:
if:
properties:
kind:
enum:
- Deployment
- StatefulSet
then:
properties:
spec:
properties:
template:
properties:
metadata:
properties:
annotations:
required:
- kubectl.kubernetes.io/default-container
required:
- annotations
请注意,这是您提供的代码的中文翻译部分。
英文:
I ended up going with datree for this. My organisation was already using it, and I found it very easy to write a policy with a custom rule for my scenario. The policy looks something like this:
<!-- begin snippet: js hide: false console: false babel: false -->
<!-- language: lang-html -->
apiVersion: v1
policies:
- name: Custom
isDefault: true
rules:
- identifier: ENSURE_DEFAULT_CONTAINER_ANNOTATION_IS_SET
messageOnFailure: Every workload must set the kubectl.kubernetes.io/default-container annotation so that multi-container workloads have sensible defaults for kubctl exec and kubectl log commands.
customRules:
- identifier: ENSURE_DEFAULT_CONTAINER_ANNOTATION_IS_SET
name: Ensure workload has default container annotation set
defaultMessageOnFailure: Every workload must set the kubectl.kubernetes.io/default-container annotation so that multi-container workloads have sensible defaults for kubctl exec and kubectl log commands.
schema:
if:
properties:
kind:
enum:
- Deployment
- StatefulSet
then:
properties:
spec:
properties:
template:
properties:
metadata:
properties:
annotations:
required:
- kubectl.kubernetes.io/default-container
required:
- annotations
<!-- end snippet -->
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论