Gatekeeper on minikube for quick learning

gistfile1.txt

# Setup docker for Amazon Linux

sudo yum -y install docker
sudo usermod -a -G docker ec2-user
newgrp docker
sudo systemctl start docker.service

# Setup docker for Ubuntu
# Tested with Vagrant box ubuntu/focal64 version 20221005.0.0
# Vagrantfile:
# Vagrant.configure("2") do |config|
# 	config.vm.box = "ubuntu/focal64"
# 	config.vm.boot_timeout = 3600
# 	config.vm.network "public_network"
# 	config.vm.provider "virtualbox" do |v|
# 		v.customize ["modifyvm", :id, "--memory", 4192]
# 		v.customize ["modifyvm", :id, "--cpus", 2]
#	  end
# end

sudo snap install docker
sudo snap connect docker:home
sudo addgroup --system docker
sudo adduser $USER docker
newgrp docker

sudo snap disable docker
sudo snap enable docker

# Minikube

curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube
minikube start
alias k="minikube kubectl --"

# Dashboard - optional (WARNING: INSECURE!! - LIMIT INBOUND TRAFFIC TO THE MACHINE ONLY FROM TRUSTED NETWORK)

minikube dashboard
k proxy --address='0.0.0.0' --disable-filter=true
http://IPADDRESS:8001/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/#/pod?namespace=_all

# Setup Gatekeeper

k create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user minikube
k apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

# YAML files

k8srequiredlabels.yaml
----------------------------------------------------
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels

        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("you must provide labels: %v", [missing])
        }


ns-must-have-gk.yaml
----------------------------------------------------
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: ns-must-have-gk
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]
  parameters:
    labels: ["gatekeeper"]


sync-namespace-pods.yaml
----------------------------------------------------
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  name: config
  namespace: "gatekeeper-system"
spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Namespace"
      - group: ""
        version: "v1"
        kind: "Pod"


exclusions.yaml
----------------------------------------------------
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  name: config
  namespace: "gatekeeper-system"
spec:
  match:
    - excludedNamespaces: ["kube-*", "my-namespace"]
      processes: ["*"]
    - excludedNamespaces: ["audit-excluded-ns"]
      processes: ["audit"]
    - excludedNamespaces: ["audit-webhook-sync-excluded-ns"]
      processes: ["audit", "webhook", "sync"]
    - excludedNamespaces: ["mutation-excluded-ns"]
      processes: ["mutation-webhook"]