2.5.10. 集成 gatekeeper 约束和约束模板
Gatekeeper 是一个验证 webhook,它强制执行基于自定义资源定义(CRD)的策略,该策略与 Open Policy Agent(OPA)一起运行。您可以使用 gatekeeper operator 策略在集群中安装 gatekeeper。Gatekeeper 策略可用于评估 Kubernetes 资源合规性。您可以使用 OPA 作为策略引擎,并使用 Rego 作为策略语言。
gatekeeper 策略在 Red Hat Advanced Cluster Management 中作为 Kubernetes 配置策略创建。Gatekeeper 策略包括约束模板(ConstraintTemplates)和 Constraints、审计模板和准入模板。如需更多信息,请参阅 Gatekeeper 上游存储库。
Red Hat Advanced Cluster Management 支持 Gatekeeper 版本 3.3.0,并在 Red Hat Advanced Cluster Management gatekeeper 策略中应用以下约束模板:
ConstraintTemplates和约束: 使用policy-gatekeeper-k8srequiredlabels策略在受管集群上创建 gatekeeper 约束模板。apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: policy-gatekeeper-k8srequiredlabels spec: remediationAction: enforce # will be overridden by remediationAction in parent policy severity: low object-templates: - complianceType: musthave objectDefinition: apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: labels: type: array items: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("you must provide labels: %v", [missing]) } - complianceType: musthave objectDefinition: apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gk spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] namespaces: - e2etestsuccess - e2etestfail parameters: labels: ["gatekeeper"]审计模板: 使用
policy-gatekeeper-audit定期检查并评估为检测出错误协调而强制执行的门管理器策略的现有资源。apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: policy-gatekeeper-audit spec: remediationAction: inform # will be overridden by remediationAction in parent policy severity: low object-templates: - complianceType: musthave objectDefinition: apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gk status: totalViolations: 0Admission 模板: 使用
policy-gatekeeper-admission检查由 gatekeeper admission webhook 创建的错误配置:apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: policy-gatekeeper-admission spec: remediationAction: inform # will be overridden by remediationAction in parent policy severity: low object-templates: - complianceType: mustnothave objectDefinition: apiVersion: v1 kind: Event metadata: namespace: openshift-gatekeeper-system # set it to the actual namespace where gatekeeper is running if different annotations: constraint_action: deny constraint_kind: K8sRequiredLabels constraint_name: ns-must-have-gk event_type: violation
如需了解更多详细信息,请参阅 policy-gatekeeper-sample.yaml。
了解如何使用 Red Hat Advanced Cluster Management gatekeeper operator 策略安装 gatekeeper 并创建 Red Hat Advanced Cluster Management gatekeeper operator 策略,请参阅管理 gatekeeper operator 策略 以了解更多详细信息。有关安全框架的更多主题,请参阅监管。
