This is a quick example of how to use OPA as a Mutating Admission Controller in Kubernetes 1.9.
- Register OPA as a MutatingAdmissionWebhook
- Load a policy to test mutation
- Exercise the policy
#!/bin/bash | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# $IG_URLS as env | |
# GET auth token to be used in curl/rest api | |
AUTH_TOKEN=$(gcloud auth print-access-token) |
#! /bin/bash | |
set -o errexit | |
export APP="${1:-mutateme}" | |
export NAMESPACE="${2:-default}" | |
export CSR_NAME="${APP}.${NAMESPACE}.svc" | |
echo "... creating ${app}.key" | |
openssl genrsa -out ${APP}.key 2048 |
<!DOCTYPE NETSCAPE-Bookmark-file-1> | |
<!-- This is an automatically generated file. | |
It will be read and overwritten. | |
DO NOT EDIT! --> | |
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"> | |
<TITLE>Bookmarks</TITLE> | |
<H1>Bookmarks</H1> | |
<DL><p> | |
<DT><H3 ADD_DATE="1626629115" LAST_MODIFIED="1626629462" PERSONAL_TOOLBAR_FOLDER="true">Bookmarks bar</H3> | |
<DL><p> |
SUBSYSTEM!="sound", GOTO="pulseaudio_end" | |
ACTION!="change", GOTO="pulseaudio_end" | |
KERNEL!="card*", GOTO="pulseaudio_end" | |
SUBSYSTEMS=="pci", ATTRS{vendor}=="0x106b", ATTRS{device}=="0x1803", ENV{PULSE_PROFILE_SET}="apple-t2.conf" | |
LABEL="pulseaudio_end" |
#! /bin/sh | |
set -o errexit | |
export APP="${1:-mutateme}" | |
export NAMESPACE="${2:-default}" | |
export CSR_NAME="${APP}.${NAMESPACE}.svc" | |
echo "... creating ${app}.key" | |
openssl genrsa -out ${APP}.key 2048 |
#!/bin/bash | |
# | |
# NOTE: specify the absolutepath to the directory to use when | |
# loading a plugin. '~' expansion is supported. | |
# | |
chunkc core::plugin_dir /usr/local/opt/chunkwm/share/chunkwm/plugins | |
# |
#!/bin/sh | |
# Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root | |
# without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged` | |
# admission controller. | |
# Pod command in turn runs a privileged container using node's /var/run/docker.sock. | |
node=${1} | |
case "${node}" in | |
"") | |
nodeSelector='' | |
podName=${USER+${USER}-}docker-any |
#!/bin/bash | |
VAULT_PATH=$1 | |
ROLE=$2 | |
DURATION=$3 | |
if [ -z "$VAULT_ADDR" ]; then | |
echo "Missing VAULT_ADDR env variable" | |
exit 1 | |
fi | |
if [ -z "$VAULT_PATH" ]; then |
#!/bin/bash | |
# | |
# NOTE: specify the absolutepath to the directory to use when | |
# loading a plugin. '~' expansion is supported. | |
# | |
chunkc core::plugin_dir /usr/local/opt/chunkwm/share/chunkwm/plugins | |
# |