Created
November 23, 2021 03:26
-
-
Save antigenius0910/e6a342cc6355387fca1ecb7500eb1b89 to your computer and use it in GitHub Desktop.
Gatekeeper policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: constraints.gatekeeper.sh/v1beta1 | |
| kind: K8sNsAuth | |
| metadata: | |
| name: block-deployment-prohibit-namespaces | |
| spec: | |
| match: | |
| kinds: | |
| - apiGroups: [""] | |
| kinds: ["*"] | |
| parameters: | |
| namespaces: | |
| - "default" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: nginx-deployment | |
| namespace: default | |
| labels: | |
| app: nginx | |
| spec: | |
| replicas: 3 | |
| selector: | |
| matchLabels: | |
| app: nginx | |
| template: | |
| metadata: | |
| labels: | |
| app: nginx | |
| spec: | |
| containers: | |
| - name: nginx | |
| image: nginx:1.14.2 | |
| ports: | |
| - containerPort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: templates.gatekeeper.sh/v1beta1 | |
| kind: ConstraintTemplate | |
| metadata: | |
| name: k8snsauth | |
| spec: | |
| crd: | |
| spec: | |
| names: | |
| kind: K8sNsAuth | |
| validation: | |
| openAPIV3Schema: | |
| properties: | |
| namespaces: | |
| type: array | |
| items: string | |
| targets: | |
| - target: admission.k8s.gatekeeper.sh | |
| rego: | | |
| package k8sroleauth | |
| violation[{ "msg": msg}]{ | |
| ### following line will not work for "deployment" kind since the debug output is "Pod" not "Deployment" | |
| #input.review.object.kind == "Deployment" | |
| namespace := input.review.object.metadata.namespace | |
| disallowed_namespace := input.parameters.namespaces[_] | |
| contains(disallowed_namespace,namespace) | |
| debug := input.review.object.kind | |
| msg := sprintf("create resources under default namespace is not allowed on envoy prod cluster", [debug])} |
Author
antigenius0910
commented
Nov 23, 2021
•
│ status: │
│ conditions: │
│ - lastTransitionTime: "2021-11-23T03:18:06Z" │
│ lastUpdateTime: "2021-11-23T03:18:06Z" │
│ message: Created new replica set "nginx-deployment-66b6c48dd5" │
│ reason: NewReplicaSetCreated │
│ status: "True" │
│ type: Progressing │
│ - lastTransitionTime: "2021-11-23T03:18:06Z" │
│ lastUpdateTime: "2021-11-23T03:18:06Z" │
│ message: Deployment does not have minimum availability. │
│ reason: MinimumReplicasUnavailable │
│ status: "False" │
│ type: Available │
│ - lastTransitionTime: "2021-11-23T03:18:06Z" │
│ lastUpdateTime: "2021-11-23T03:18:06Z" │
│ message: 'admission webhook "validation.gatekeeper.sh" denied the request: [block-deployment-prohibit-namespaces] │
│ create deployment under default ns is not allowed on envoy prod cluster%!(EXTRA │
│ string=Pod)' │
│ reason: FailedCreate │
│ status: "True" │
│ type: ReplicaFailure │
│ observedGeneration: 1 │
│ unavailableReplicas: 3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment