Skip to content

Instantly share code, notes, and snippets.

@antigenius0910

antigenius0910/constraint.yaml

Created November 23, 2021 03:26
Show Gist options
  • Save antigenius0910/e6a342cc6355387fca1ecb7500eb1b89 to your computer and use it in GitHub Desktop.
Save antigenius0910/e6a342cc6355387fca1ecb7500eb1b89 to your computer and use it in GitHub Desktop.
Download ZIP
Gatekeeper policy
Raw
constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNsAuth
metadata:
name: block-deployment-prohibit-namespaces
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["*"]
parameters:
namespaces:
- "default"
Raw
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
Raw
template.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8snsauth
spec:
crd:
spec:
names:
kind: K8sNsAuth
validation:
openAPIV3Schema:
properties:
namespaces:
type: array
items: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sroleauth
violation[{ "msg": msg}]{
### following line will not work for "deployment" kind since the debug output is "Pod" not "Deployment"
#input.review.object.kind == "Deployment"
namespace := input.review.object.metadata.namespace
disallowed_namespace := input.parameters.namespaces[_]
contains(disallowed_namespace,namespace)
debug := input.review.object.kind
msg := sprintf("create resources under default namespace is not allowed on envoy prod cluster", [debug])}
@antigenius0910
Copy link
Author 

│ status:                                                                                                                                                                                                              │
│   conditions:                                                                                                                                                                                                        │
│   - lastTransitionTime: "2021-11-23T03:18:06Z"                                                                                                                                                                       │
│     lastUpdateTime: "2021-11-23T03:18:06Z"                                                                                                                                                                           │
│     message: Created new replica set "nginx-deployment-66b6c48dd5"                                                                                                                                                   │
│     reason: NewReplicaSetCreated                                                                                                                                                                                     │
│     status: "True"                                                                                                                                                                                                   │
│     type: Progressing                                                                                                                                                                                                │
│   - lastTransitionTime: "2021-11-23T03:18:06Z"                                                                                                                                                                       │
│     lastUpdateTime: "2021-11-23T03:18:06Z"                                                                                                                                                                           │
│     message: Deployment does not have minimum availability.                                                                                                                                                          │
│     reason: MinimumReplicasUnavailable                                                                                                                                                                               │
│     status: "False"                                                                                                                                                                                                  │
│     type: Available                                                                                                                                                                                                  │
│   - lastTransitionTime: "2021-11-23T03:18:06Z"                                                                                                                                                                       │
│     lastUpdateTime: "2021-11-23T03:18:06Z"                                                                                                                                                                           │
│     message: 'admission webhook "validation.gatekeeper.sh" denied the request: [block-deployment-prohibit-namespaces]                                                                                                │
│       create deployment under default ns is not allowed on envoy prod cluster%!(EXTRA                                                                                                                                │
│       string=Pod)'                                                                                                                                                                                                   │
│     reason: FailedCreate                                                                                                                                                                                             │
│     status: "True"                                                                                                                                                                                                   │
│     type: ReplicaFailure                                                                                                                                                                                             │
│   observedGeneration: 1                                                                                                                                                                                              │
│   unavailableReplicas: 3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment