Task weight: 6%

Use context: kubectl config use-context infra-prod

The Open Policy Agent and Gatekeeper have been installed to, among other things, enforce blacklisting of certain image registries. Alter the existing constraint and/or template to also blacklist images from very-bad-registry.com .

Test it by creating a single Pod using image very-bad-registry.com/image in Namespace default , it shouldn’t work.

You can also verify your changes by looking at the existing Deployment untrusted in Namespace default , it uses an image from the new untrusted source. The OPA contraint should throw violation messages for this one.

译文

任务权重:6%。

使用环境: kubectl config use-context infra-prod

Open Policy AgentGatekeeper 已安装,除其他外,强制将某些图像登记处列入黑名单。改变现有的 约束 和/或 模板,将来自 very-bad-registry.com 的 images 也列入黑名单。

通过使用 default 名称空间的图像 very-bad-registry.com/image 创建一个单一pod来测试,它不应该工作。

你也可以通过查看 Namespace default 中现有的 Deployment untrusted 来验证你的变化,它使用了来自新的不可信任的来源的图像。OPA限制应该为这个问题抛出违规信息。

解答
kubectl config use-context infra-prod

检查OPA约束

k get crd
k get constraint
k edit constrainttemplates blacklistimages
# kubectl edit constrainttemplates blacklistimages
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
...
spec:
  crd:
    spec:
      names:
        kind: BlacklistImages
  targets:
  - rego: |
      package k8strustedimages

      images {
        image := input.review.object.spec.containers[_].image
        not startswith(image, "docker-fake.io/")
        not startswith(image, "google-gcr-fake.com/")
        not startswith(image, "very-bad-registry.com/") #添加这一行
      }

      violation[{"msg": msg}] {
        not images
        msg := "not trusted image!"
      }
    target: admission.k8s.gatekeeper.sh

检查是否生效

k run opa-test --image=very-bad-registry.com/image

open-policy-agent-0

过一段时间检查,另外两个pod已 被列为违规

k describe blacklistimages pod-trusted-images

open-policy-agent-1