Kubernetes之Open Policy Agent的實踐

很簡單，只需要在Kubernetes下安裝gatekeeper，

下載安裝模板，wget https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml，

執行，kubectl apply -f gatekeeper.yaml，

接下來就全都是效果驗證，

創建能控制容器鏡像的模板，vim k8srequiredregistry_template.yaml，

apiVersion: templates.gatekeeper.sh/v1beta1

kind: ConstraintTemplate

metadata:

 name: k8srequiredregistry

spec:

 crd:

   spec:

     names:

       kind: K8sRequiredRegistry

     validation:

       # Schema for the `parameters` field

       openAPIV3Schema:

         properties:

           image:

             type: string

 targets:

   - target: admission.k8s.gatekeeper.sh

     rego: |

       package k8srequiredregistry

       violation[{"msg": msg, "details": {"Registry should be": required}}] {

         input.review.object.kind == "Pod"

         some i

         image := input.review.object.spec.containers[i].image

         required := input.parameters.registry

         not startswith(image,required)

         msg := sprintf("Forbidden registry: %v", [image])

       }

創建策略，僅允許使用docker.mirrors.ustc.edu.cn的鏡像，

vim all_images_must_come_from_docker.mirrors.ustc.edu.cn.yaml，

apiVersion: constraints.gatekeeper.sh/v1beta1

kind: K8sRequiredRegistry

metadata:

 name: images-must-come-from-docker.mirrors.ustc.edu.cn

spec:

 match:

   kinds:

     - apiGroups: [""]

       kinds: ["Pod"]

 parameters:

   registry: "docker.mirrors.ustc.edu.cn/"

創建個違反策略的容器部署，

vim sshd-deployment-opa.yaml，

apiVersion: apps/v1

kind: Deployment

metadata:

 name: sshd-opa

 labels:

   app: sshd-opa

 namespace: default

spec:

 selector:

   matchLabels:

     app: sshd-opa

 template:

   metadata:

     labels:

       app: sshd-opa

   spec:

     containers:

     - name: sshd-opa

       image: rastasheep/ubuntu-sshd:14.04

       imagePullPolicy: IfNotPresent

       ports:

       - containerPort: 22

沒創建成功，查容器實例都查不到，但可以查看部署信息，

kubectl get deployments sshd-opa -o yaml，

確認是由于僅允許使用docker.mirrors.ustc.edu.cn的鏡像的策略導致。