Skip to content

Instantly share code, notes, and snippets.

@ritazh

ritazh/gatekeeper-notes.md Secret

Last active June 6, 2019 17:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ritazh/19d1d1a7d36a3d57c8bbc127c36a93ea to your computer and use it in GitHub Desktop.
Save ritazh/19d1d1a7d36a3d57c8bbc127c36a93ea to your computer and use it in GitHub Desktop.
Download ZIP
Gatekeeper v3 things
Raw
gatekeeper-notes.md

Notes for how things are defined in the Gatekeeper project and the expected behavior to date.

Scenarios

There are two types of scenarios for enforcing policies:

  • create scenario (green field): requests that were rejected by the api server as a result of the validation webhook and the logs for those events are currently only persisted in the k8s audit log.
  • compliance scenario (brown field): audit results and dry run results to identify existing resources in the cluster that have violated a constraint

Namespace awareness/exclusion

Purpose

To give users the ability to

  • create constraints that only limit certain namespaces (applicable to create and compliance scenarios)

    • match using namespace Example: prod-repo-is-openpolicyagent constraint
    apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: K8sAllowedRepos
metadata:
  name: prod-repo-is-openpolicyagent
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "production"
  parameters:
    repos:
      - "openpolicyagent"
    • match using labelSelector Example: prodworkload-repo-is-openpolicyagent constraint will match any pod that has the prodworkload label
    apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: K8sAllowedRepos
metadata:
  name: prodworkload-repo-is-openpolicyagent
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    labelSelector:
      matchExpressions:
      - key: prodworkload
        operator: Exists
  parameters:
    repos:
      - "openpolicyagent"

  • exclude validation webhook on certain namespaces (applicable to create scenarios only)

    Example: validation.gatekeeper.sh ValidatingWebhookConfiguration

    apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: validation.gatekeeper.sh
webhooks:
- clientConfig: <omitted>
    service:
      name: gatekeeper-controller-manager-service
      namespace: gatekeeper-system
      path: /v1/admit
  failurePolicy: Ignore
  name: validation.gatekeeper.sh
  namespaceSelector:
    matchExpressions:
    - key: control-plane
      operator: DoesNotExist
  rules:
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    resources:
    - '*'
  sideEffects: Unknown

Namespace-scoped Constraints

Purpose

To allow adminstrators of namespaces to declare constraints on their namespace wihtout giving them the ability to constrain other namespaces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment