-
Notifications
You must be signed in to change notification settings - Fork 763
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
- Loading branch information
1 parent
6dfc0c6
commit 9eb83e0
Showing
5 changed files
with
143 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| > [!WARNING] | ||
| > This is a demo of an alpha feature and is subject to change. | ||
| This demo shows: | ||
|
|
||
| 1. Configuring different validation actions for different enforcement points. | ||
| 2. Integration with VAP as enforcement point such that admission validation can be handled by [Kubernetes's in-process Validating Admission Policy Controller](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) instead of the Gatekeeper admission webhook. In the event the Validating Admission Policy Controller fails open, then Gatekeeper admission webhook can act as a fallback. This requires clusters with the Kubernetes Validating Admission Policy feature enabled. | ||
|
|
||
| Please refer to <https://open-policy-agent.github.io/gatekeeper/website/docs/next/validating-admission-policy> for pre-requisites and configuration steps. | ||
|
|
||
| ## Demo | ||
|
|
||
| <img width= "900" height="500" src="demo.gif" alt="vap demo"> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| #!/bin/bash | ||
|
|
||
| . ../../third_party/demo-magic/demo-magic.sh | ||
|
|
||
| clear | ||
|
|
||
| # cmd | ||
|
|
||
| p "Deploy the constraint template" | ||
|
|
||
| pe "kubectl apply -f k8srequiredlabels_template_usevap.yaml" | ||
|
|
||
| p "View Constraint template to see the K8sNativeValidation engine and CEL rules are added" | ||
|
|
||
| pe "cat k8srequiredlabels_template_usevap.yaml" | ||
|
|
||
| pe "kubectl apply -f owner_must_be_provided.yaml" | ||
|
|
||
| pe "cat owner_must_be_provided.yaml" | ||
|
|
||
| p "Notice that only audit and validation is added as enforcement points and VAP as enforcement point is not added in the constraint" | ||
|
|
||
| p "Let's test the policy" | ||
|
|
||
| pe "kubectl create ns test" | ||
|
|
||
| p "Note the namespace was blocked by the Gatekeeper webhook as evaluated by the CEL rules" | ||
|
|
||
| p "" | ||
|
|
||
| p "Now let's add the VAP as enforcement point and update the constraint" | ||
|
|
||
| pe "kubectl apply -f owner_must_be_provided_usevap.yaml" | ||
|
|
||
| pe "cat owner_must_be_provided_usevap.yaml" | ||
|
|
||
| p "VAPBinding with validation aciton warn should get created automatically with inclusion of VAP as enforcement point with warn action since ConstraintTemplate has CEL and intent to use VAP" | ||
|
|
||
| pe "kubectl get ValidatingAdmissionPolicy" | ||
|
|
||
| pe "kubectl get ValidatingAdmissionPolicyBinding" | ||
|
|
||
| p "Let's test the policy" | ||
|
|
||
| pe "kubectl create ns test" | ||
|
|
||
| p "Note the warning is generated by the ValidatingAdmissionPolicy admission controller and the namespace is blocked by the Gatekeeper webhook as evaluated by the CEL rules" | ||
|
|
||
| p "THE END" | ||
|
|
||
| kubectl delete constrainttemplates --all |
36 changes: 36 additions & 0 deletions
36
demo/scoped-enforcement-actions/k8srequiredlabels_template_usevap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| apiVersion: templates.gatekeeper.sh/v1 | ||
| kind: ConstraintTemplate | ||
| metadata: | ||
| name: k8srequiredlabels | ||
| spec: | ||
| crd: | ||
| spec: | ||
| names: | ||
| kind: K8sRequiredLabels | ||
| validation: | ||
| # Schema for the `parameters` field | ||
| openAPIV3Schema: | ||
| type: object | ||
| properties: | ||
| message: | ||
| type: string | ||
| labels: | ||
| type: array | ||
| items: | ||
| type: object | ||
| properties: | ||
| key: | ||
| type: string | ||
| allowedRegex: | ||
| type: string | ||
| targets: | ||
| - target: admission.k8s.gatekeeper.sh | ||
| code: | ||
| - engine: K8sNativeValidation | ||
| source: | ||
| generateVAP: true | ||
| validations: | ||
| - expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels))' | ||
| messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")' | ||
| - expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels && string(variables.anyObject.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))' | ||
| message: "regex mismatch" |
20 changes: 20 additions & 0 deletions
20
demo/scoped-enforcement-actions/owner_must_be_provided.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sRequiredLabels | ||
| metadata: | ||
| name: all-must-have-owner | ||
| spec: | ||
| enforcementAction: scoped | ||
| scopedEnforcementActions: | ||
| - action: deny | ||
| enforcementPoints: | ||
| - name: validation.gatekeeper.sh | ||
| - name: audit.gatekeeper.sh | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Namespace"] | ||
| parameters: | ||
| message: "All namespaces must have an `owner` label that points to your company username" | ||
| labels: | ||
| - key: owner | ||
| allowedRegex: "^[a-zA-Z]+.agilebank.demo$" |
23 changes: 23 additions & 0 deletions
23
demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sRequiredLabels | ||
| metadata: | ||
| name: all-must-have-owner | ||
| spec: | ||
| enforcementAction: scoped | ||
| scopedEnforcementActions: | ||
| - action: deny | ||
| enforcementPoints: | ||
| - name: validation.gatekeeper.sh | ||
| - name: audit.gatekeeper.sh | ||
| - action: warn | ||
| enforcementPoints: | ||
| - name: vap.k8s.io | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Namespace"] | ||
| parameters: | ||
| message: "All namespaces must have an `owner` label that points to your company username" | ||
| labels: | ||
| - key: owner | ||
| allowedRegex: "^[a-zA-Z]+.agilebank.demo$" |