Kubernetes - OPA Gatekeeper

Reading time: 1 minute

Mwandishi wa asili wa ukurasa huu ni Guillaume

Mwelekeo

Open Policy Agent (OPA) Gatekeeper ni chombo kinachotumika kutekeleza sera za kuingia katika Kubernetes. Sera hizi zinafafanuliwa kwa kutumia Rego, lugha ya sera inayotolewa na OPA. Hapa chini kuna mfano wa msingi wa ufafanuzi wa sera ukitumia OPA Gatekeeper:

rego
regoCopy codepackage k8srequiredlabels

violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[label]}
missing := required - provided
count(missing) > 0
msg := sprintf("Required labels missing: %v", [missing])
}

default allow = false

Sera hii ya Rego inakagua kama lebo fulani zipo kwenye rasilimali za Kubernetes. Ikiwa lebo zinazohitajika hazipo, inarudisha ujumbe wa ukiukaji. Sera hii inaweza kutumika kuhakikisha kwamba rasilimali zote zilizowekwa kwenye klasta zina lebo maalum.

Tumia Kizuizi

Ili kutumia sera hii na OPA Gatekeeper, ungetakiwa kufafanua ConstraintTemplate na Constraint katika Kubernetes:

yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[label]}
missing := required - provided
count(missing) > 0
msg := sprintf("Required labels missing: %v", [missing])
}

default allow = false
yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ensure-pod-has-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels:
requiredLabel1: "true"
requiredLabel2: "true"

Katika mfano huu wa YAML, tunafafanua ConstraintTemplate ili kuhitaji lebo. Kisha, tunaita kizuizi hiki ensure-pod-has-label, ambacho kinarejelea k8srequiredlabels ConstraintTemplate na kubainisha lebo zinazohitajika.

Wakati Gatekeeper inapoanzishwa katika klasta ya Kubernetes, itatekeleza sera hii, ikizuia uundaji wa pods ambazo hazina lebo zilizobainishwa.

References