Task weight: 6%

Use context: kubectl config use-context infra-prod

The Open Policy Agent and Gatekeeper have been installed to, among other things, enforce blacklisting of certain image registries. Alter the existing constraint and/or template to also blacklist images from very-bad-registry.com.

Test it by creating a single Pod using image very-bad-registry.com/image in Namespace default, it shouldn't work.

You can also verify your changes by looking at the existing Deployment untrusted in Namespace default, it uses an image from the new untrusted source. The OPA contraint should throw violation messages for this one.


译文

任务权重:6%。

使用环境: kubectl config use-context infra-prod

Open Policy Agent 和 Gatekeeper 已安装,除其他外,强制将某些图像登记处列入黑名单。改变现有的 约束 和/或 模板,将来自 very-bad-registry.com 的 images 也列入黑名单。

通过使用 default 名称空间的图像 very-bad-registry.com/image 创建一个单一pod来测试,它不应该工作。

你也可以通过查看 Namespace default 中现有的 Deployment untrusted 来验证你的变化,它使用了来自新的不可信任的来源的图像。OPA限制应该为这个问题抛出违规信息。


解答
kubectl config use-context infra-prod

检查OPA约束

k get crd
k get constraint
k edit constrainttemplates blacklistimages
# kubectl edit constrainttemplates blacklistimages
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
...
spec:
  crd:
    spec:
      names:
        kind: BlacklistImages
  targets:
  - rego: |
      package k8strustedimages

      images {
        image := input.review.object.spec.containers[_].image
        not startswith(image, "docker-fake.io/")
        not startswith(image, "google-gcr-fake.com/")
        not startswith(image, "very-bad-registry.com/") #添加这一行
      }

      violation[{"msg": msg}] {
        not images
        msg := "not trusted image!"
      }
    target: admission.k8s.gatekeeper.sh

检查是否生效

k run opa-test --image=very-bad-registry.com/image

file

过一段时间检查,另外两个pod已 被列为违规

k describe blacklistimages pod-trusted-images

file