Kubernetes Gatekeeper OPA 策略约束实战ConstraintTemplateapiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sdisallowlatest spec: crd: spec: names: kind: K8sDisallowLatest targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sdisallowlatest violation[{ "msg": msg, "details": {}}] { input.review.kind.kind == "Pod" some i container := input.review.object.spec.containers[i] endswith(container.image, ":latest") msg := sprintf("image %s uses tag latest", [container.image]) } ConstraintapiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowLatest metadata: name: disallow-latest spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] 验证应用模板与约束后,创建含 `:latest` 的 Pod 将被拒绝总结Gatekeeper 能为集群提供可审计、可组合的策略约束,提升安全与一致性。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复