概述目标:以OPA Gatekeeper在集群内实施安全与规范策略,阻止不合规资源进入并进行审计报告。适用:生产集群的安全基线与规范治理、命名约束、权限限制。核心与实战ConstraintTemplate(禁止特权容器):apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sforbidprivileged
spec:
crd:
spec:
names:
kind: K8sForbidPrivileged
validation:
openAPIV3Schema:
type: object
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sforbidprivileged
violation[{
"msg": msg,
"details": {}}] {
input.review.kind.kind == "Pod"
c := input.review.object.spec.containers[_]
c.securityContext.privileged == true
msg := "privileged containers are not allowed"
}
Constraint应用到命名空间:apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sForbidPrivileged
metadata:
name: forbid-privileged-pods
spec:
match:
namespaces: ["prod"]
kinds:
- apiGroups: [""]
kinds: ["Pod"]
示例不合规资源被拒:apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: prod
spec:
containers:
- name: c
image: alpine
securityContext:
privileged: true
审计结果查看:kubectl get k8sforbidprivileged -o yaml
kubectl -n gatekeeper-system logs deploy/gatekeeper-audit
验证与监控安装与健康:kubectl get pods -n gatekeeper-system
kubectl get constraints,constrainttemplates
例外与豁免:使用`match.excludedNamespaces`或`namespaceSelector`进行例外处理。版本治理:在GitOps中版本化模板与约束,审计变更与影响面。常见误区仅编写ConstraintTemplate而未创建Constraint导致策略未生效;需绑定约束。审计未启用或未查看审计日志;需关注`gatekeeper-audit`输出。过于宽泛的匹配导致误拒;应精准限定命名空间与资源类型。结语Gatekeeper以策略即代码实现准入控制与审计,配合GitOps可持续治理K8s资源合规与安全。
发表评论 取消回复