Task weight: 6%
Use context: kubectl config use-context infra-prod
The Open Policy Agent and Gatekeeper have been installed to, among other things, enforce blacklisting of certain image registries. Alter the existing constraint and/or template to also blacklist images from very-bad-registry.com.
Test it by creating a single Pod using image very-bad-registry.com/image in Namespace default, it shouldn't work.
You can also verify your changes by looking at the existing Deployment untrusted in Namespace default, it uses an image from the new untrusted source. The OPA contraint should throw violation messages for this one.
译文
任务权重:6%。
使用环境: kubectl config use-context infra-prod
Open Policy Agent 和 Gatekeeper 已安装,除其他外,强制将某些图像登记处列入黑名单。改变现有的 约束 和/或 模板,将来自 very-bad-registry.com 的 images 也列入黑名单。
通过使用 default 名称空间的图像 very-bad-registry.com/image 创建一个单一pod来测试,它不应该工作。
你也可以通过查看 Namespace default 中现有的 Deployment untrusted 来验证你的变化,它使用了来自新的不可信任的来源的图像。OPA限制应该为这个问题抛出违规信息。
解答
kubectl config use-context infra-prod检查OPA约束
k get crdk get constraint
k edit constrainttemplates blacklistimages# kubectl edit constrainttemplates blacklistimages
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
...
spec:
crd:
spec:
names:
kind: BlacklistImages
targets:
- rego: |
package k8strustedimages
images {
image := input.review.object.spec.containers[_].image
not startswith(image, "docker-fake.io/")
not startswith(image, "google-gcr-fake.com/")
not startswith(image, "very-bad-registry.com/") #添加这一行
}
violation[{"msg": msg}] {
not images
msg := "not trusted image!"
}
target: admission.k8s.gatekeeper.sh检查是否生效
k run opa-test --image=very-bad-registry.com/image
过一段时间检查,另外两个pod已 被列为违规
k describe blacklistimages pod-trusted-images