HackTricks CloudKubernetes - OPA Gatekeeper
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Mwandishi wa awali wa ukurasa huu ni Guillaume
Mwelekeo
Open Policy Agent (OPA) Gatekeeper ni chombo kinachotumika kutekeleza sera za kuingia katika Kubernetes. Sera hizi zin defined kwa kutumia Rego, lugha ya sera inayotolewa na OPA. Hapa chini kuna mfano wa msingi wa ufafanuzi wa sera ukitumia OPA Gatekeeper:
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[label]}
missing := required - provided
count(missing) > 0
msg := sprintf("Required labels missing: %v", [missing])
}
default allow = false
Sera hii ya Rego inakagua kama lebo fulani zipo kwenye rasilimali za Kubernetes. Ikiwa lebo zinazohitajika hazipo, inarudisha ujumbe wa ukiukaji. Sera hii inaweza kutumika kuhakikisha kwamba rasilimali zote zilizowekwa kwenye klasta zina lebo maalum.
Tumia Kizuizi
Ili kutumia sera hii na OPA Gatekeeper, ungetakiwa kufafanua ConstraintTemplate na Constraint katika Kubernetes:
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[label]}
missing := required - provided
count(missing) > 0
msg := sprintf("Required labels missing: %v", [missing])
}
default allow = false
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ensure-pod-has-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels:
requiredLabel1: "true"
requiredLabel2: "true"
Katika mfano huu wa YAML, tunafafanua ConstraintTemplate ili kuhitaji lebo. Kisha, tunaita kizuizi hiki ensure-pod-has-label, ambacho kinarejelea k8srequiredlabels ConstraintTemplate na kubainisha lebo zinazohitajika.
Wakati Gatekeeper inapoanzishwa katika klasta ya Kubernetes, itatekeleza sera hii, ikizuia uundaji wa pods ambazo hazina lebo zilizobainishwa.
Marejeo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.