Repository for the talk "Tu non puoi passare! Policy compliance con OPA Gatekeeper" presented at KCD Italy 2021 ๐ฎ๐น.
Slides are available under ./slides/
- Create minikube cluster
make minikube- Deploy OPA Gatekeeper 3.5:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.5/deploy/gatekeeper.yaml
# Local version available at ./manifests/gatekeeper.yaml- Deploy Gatekeeper Policy Manager v0.5.0:
kubectl apply -k https://github.com/sighupio/gatekeeper-policy-manager/
# Local version available at ./manifests/gatekeeper-policy-manager.yaml- Port forward Gatekeeper Policy Manager UI on
localhost:8080:
kubectl port-forward svc/gatekeeper-policy-manager -n gatekeeper-system 8080:80 2>&1 >/dev/null &- Create our first
ContraintTemplate:
kubectl apply -f manifests/rules/0-ns-require-labels/template.yamlA
ConstraintTemplatedescribes both the Rego that enforces the constraint and the schema of the constraint.
- Check the creation of the related resources:
kubectl get constrainttemplates.templates.gatekeeper.shExpected Output:
NAME AGE
namespacerequirelabels 6m48s- Check the new CRD that gets created:
kubectl get crd | grep constraintsExpected Output:
namespacerequirelabels.constraints.gatekeeper.sh 2021-11-15T13:52:53Z- Instantiate the template with a
Constraint:
kubectl apply -f manifests/rules/0-ns-require-labels/require-kcd-italy-label/constraint.yaml
Constraintsare used to actually enforce aConstraintTemplate
- Inspect new resources:
kubectl get constraintsExpected output:
NAME AGE
ns-must-have-kcd-italy-label 9s- Test creation of a namespace
badwithout thekcd-italylabel:
kubectl create ns bad
# kubectl apply -f manifests/rules/0-ns-require-labels/require-kcd-italy-label/example_disallowed.yaml Expected output:
Error from server ([ns-must-have-kcd-italy-label] you must provide labels: {"kcd-italy"}): admission webhook "validation.gatekeeper.sh" denied the request: [ns-must-have-kcd-italy-label] you must provide labels: {"kcd-italy"}- Test creation of a namespace
goodwith thekcd-italylabel:
kubectl apply -f manifests/rules/0-ns-require-labels/require-kcd-italy-label/example_allowed.yamlExpected output:
namespace/good created- Create the
ContraintTemplateand theConstraint:
kubectl apply -f manifests/rules/1-pod-from-trusted-registry/template.yaml
kubectl apply -f manifests/rules/1-pod-from-trusted-registry/trust-sighup-registry/constraint.yaml- Check the creation of the related resources:
kubectl get constrainttemplates.templates.gatekeeper.sh,constraintsExpected Output:
NAME AGE
constrainttemplate.templates.gatekeeper.sh/trustedimageregistry 18s
# ... hiding other constrainttemplates for brevity
NAME AGE
trustedimageregistry.constraints.gatekeeper.sh/all-pods-from-sighup-registry 9s
# ... hiding other constraints for brevity- Test that the
Constraintallows aregistry.sighup.io/workshop/nginximage:
kubectl apply -f manifests/rules/1-pod-from-trusted-registry/trust-sighup-registry/example_allowed.yamlExpected Output:
pod/good-pod created- Test that the
Constraintdoes not allow anginximage:
kubectl apply -f manifests/rules/1-pod-from-trusted-registry/trust-sighup-registry/example_disallowed.yamlExpected Output:
Error from server ([all-pods-from-sighup-registry] image 'nginx' comes from untrusted registry): error when creating "manifests/rules/1-pod-from-trusted-registry/trust-sighup-registry/example_disallowed.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [all-pods-from-sighup-registry] image 'nginx' comes from untrusted registry- Try to create a deployment with an untrusted registry. What happens?
kubectl create deployment nginx-deploy --image nginx --replicas 10Expected Output:
deployment.apps/nginx-deploy createdAre the pods running?
kubectl get deployments.apps nginx-deploy Expected Output:
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deploy 0/10 0 0 6sTry to inspect the related ReplicaSet:
kubectl describe rs $(kubectl get rs -o jsonpath='{.items[*].metadata.name}' | grep nginx-deploy)- Create the
ContraintTemplateand theConstraint:
kubectl apply -f manifests/rules/2-unique-ingress-host/template.yaml
kubectl apply -f manifests/rules/2-unique-ingress-host/unique-ingress/constraint.yaml- Check the creation of the related resources:
kubectl get constrainttemplates.templates.gatekeeper.sh,constraintsExpected Output:
NAME AGE
constrainttemplate.templates.gatekeeper.sh/k8suniqueingresshost 6m3s
# ... hiding other constrainttemplates for brevity
NAME AGE
k8suniqueingresshost.constraints.gatekeeper.sh/unique-ingress-host 5m13s
# ... hiding other constraints for brevity- Test the
Constraint:
kubectl apply -f manifests/rules/2-unique-ingress-host/unique-ingress/example_disallowed.yamlExpected Output:
ingress.networking.k8s.io/ingress-host-1 created
ingress.networking.k8s.io/ingress-host-2 createdThe Constraint is correct, but it's not working as we have not replicated any data to Gatekeeper.
- Deploy necessary config:
kubectl apply -f manifests/rules/2-unique-ingress-host/config.yaml- Test the
Constraintagain:
kubectl delete -f manifests/rules/2-unique-ingress-host/unique-ingress/example_disallowed.yaml
kubectl apply -f manifests/rules/2-unique-ingress-host/unique-ingress/example_disallowed.yaml Expected Output:
ingress.networking.k8s.io/ingress-host-1 created
Error from server ([unique-ingress-host] Ingress host conflicts with an existing Ingress <example-host.example.com>
[unique-ingress-host] Ingress host conflicts with an existing Ingress <example-host.example.com>): error when creating "manifests/rules/2-unique-ingress-host/unique-ingress/example_disallowed.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [unique-ingress-host] Ingress host conflicts with an existing Ingress <example-host.example.com>
[unique-ingress-host] Ingress host conflicts with an existing Ingress <example-host.example.com>- Delete minikube cluster:
make delete