2.5.14. gatekeeper 策略集成
了解如何创建、应用、查看和更新您的 gatekeeper 策略。
需要的访问权限 :集群管理员
先决条件 :您必须安装 Gatekeeper。如需更多信息,请参阅 open-policy-agent/gatekeeper 存储库。
2.5.14.1. 创建 gatekeeper 策略
您可以使用命令行界面(CLI)为 gatekeeper 策略创建 YAML 文件。使用 Red Hat Advanced Cluster Management for Kubernetes 配置策略,将 gatekeeper 策略从 hub 集群传播到受管集群。查看以下部分,为准入和审核场景创建 gatekeeper 策略:
2.5.14.1.1. 创建用于准入的 gatekeeper 策略
使用 Red Hat Advanced Cluster Management 配置策略创建一个 gatekeeper 策略,该策略会查找由 gatekeeper admission webhook 生成的事件。
备注:gatekeeper 必须将 emit-admission-events 设置为 true 一起部署。
为您的 gatekeeper 策略创建 YAML 文件。运行以下命令:
kubectl create -f policy-gatekeeper-admission.yaml
您的 gatekeeper 策略可能类似以下策略:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-gatekeeper
namespace: default
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-gatekeeper-k8srequiredlabels
spec:
remediationAction: enforce # will be overridden by remediationAction in parent policy
severity: low
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
- complianceType: musthave
objectDefinition:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["gatekeeper"]
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-gatekeeper-admission
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: low
object-templates:
- complianceType: mustnothave
objectDefinition:
apiVersion: v1
kind: Event
metadata:
namespace: gatekeeper-system
annotations:
constraint_action: deny
constraint_kind: K8sRequiredLabels
constraint_name: ns-must-have-gk
event_type: violation2.5.14.1.2. 为审计创建 gatekeeper 策略
使用产品配置策略创建一个 gatekeeper 策略,该策略会根据 gatekeeper 策略定期检查并评估现有资源。Red Hat Advanced Cluster Management 配置策略检查 gatekeeper 约束的 status 字段中的违反情况。
为您的 gatekeeper 策略创建 YAML 文件。运行以下命令:
kubectl create -f policy-gatekeeper-audit.yaml
您的 gatekeeper 策略可能类似以下策略:
apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: name: policy-gatekeeper namespace: default annotations: policy.open-cluster-management.io/standards: policy.open-cluster-management.io/categories: policy.open-cluster-management.io/controls: spec: disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: policy-gatekeeper-audit spec: remediationAction: inform # will be overridden by remediationAction in parent policy severity: low object-templates: - complianceType: musthave objectDefinition: apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gk status: totalViolations: 0 violations: []
有关将第三方策略整合到产品中的更多信息,请参阅集成第三方策略控制器。