2.6.17.2. 从控制台创建 gatekeeper 策略
完成以下步骤,从控制台安装 gatekeeper operator 策略:
- 登录到您的集群。
- 在导航菜单中点 Governance。
- 选择 Create policy 来创建一个策略。
在填写表单时,从 Specifications 项中选择 GatekeeperOperator。策略的参数值会自动填充,策略默认设置为
inform。将补救操作设置为enforce来安装 gatekeeper。请参阅policy-gatekeeper-operator.yaml查看示例。注: 考虑可由 Operator 生成默认值。如需了解可用于 gatekeeper operator 策略的可选参数的说明,请参阅 Gatekeeper Helm Chart。
2.6.17.2.1. Gatekeeper operator CR
apiVersion: operator.gatekeeper.sh/v1alpha1
kind: Gatekeeper
metadata:
name: gatekeeper
spec:
# Add fields here
image:
image: docker.io/openpolicyagent/gatekeeper:v3.2.2
imagePullPolicy: Always
audit:
replicas: 1
logLevel: DEBUG
auditInterval: 10s
constraintViolationLimit: 55
auditFromCache: Enabled
auditChunkSize: 66
emitAuditEvents: Enabled
resources:
limits:
cpu: 500m
memory: 150Mi
requests:
cpu: 500m
memory: 130Mi
validatingWebhook: Enabled
webhook:
replicas: 2
logLevel: ERROR
emitAdmissionEvents: Enabled
failurePolicy: Fail
resources:
limits:
cpu: 480m
memory: 140Mi
requests:
cpu: 400m
memory: 120Mi
nodeSelector:
region: "EMEA"
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
auditKey: "auditValue"
topologyKey: topology.kubernetes.io/zone
tolerations:
- key: "Example"
operator: "Exists"
effect: "NoSchedule"
podAnnotations:
some-annotation: "this is a test"
other-annotation: "another test"