gatekeeper-valint

command module
v0.0.1-2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 10, 2023 License: Apache-2.0 Imports: 1 Imported by: 0

README

gatekeeper-valint

To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying its signatures.

This repo is meant for testing Gatekeeper external data feature. Do not use for production.

Installation

  • Deploy Gatekeeper with external data enabled (--enable-external-data)
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper/gatekeeper  \
    --name-template=gatekeeper \
    --namespace gatekeeper-system --create-namespace \
    --set enableExternalData=true \
    --set controllerManager.dnsPolicy=ClusterFirst,audit.dnsPolicy=ClusterFirst \
    --version 3.10.0

Note: This repository is currently only working with Gatekeeper 3.10 and the externalData feature in alpha. There is an open issue to track the support of Gatekeeper 3.11 and externalData feature in beta: https://github.com/scribe-security/gatekeeper-valint/issues/20.

Let's install the gatekeeper-valint:

  • kubectl apply -f manifest

  • kubectl apply -f manifest/provider.yaml

    Update url if it's not http://gatekeeper-valint.gatekeeper-valint:8090 (default)

  • kubectl apply -f policy/template.yaml

  • kubectl apply -f policy/constraint.yaml

Verification

To test this successfully, we should sign one of our images with cosign tool. So, let's do this first:

Generate key pair

$ cosign generate-key-pair

We have two files under policy/examples, one for valid manifest that contains signed image, the other is invalid. To do the same you should sign your image as I did:

$ crane copy alpine:latest devopps/alpine:signed
$ crane copy alpine:3.14 devopps/alpine:unsigned
$ cosign sign --key cosign.key devopps/signed:latest

So, once you are ready, let's apply these manifests one by one. It should allow deploying Pod for valid.yaml, and deny for the other one.

External Data Provider

A template repository for building external data providers for Gatekeeper.

Prerequisites

Quick Start

  1. Create a kind cluster.

  2. Install the latest version of Gatekeeper and enable the external data feature.

# Add the Gatekeeper Helm repository
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts

# Install the latest version of Gatekeeper with the external data feature enabled.
helm install gatekeeper/gatekeeper \
    --set enableExternalData=true \
    --name-template=gatekeeper \
    --namespace gatekeeper-system \
    --create-namespace
  1. Build and deploy the external data provider.
git clone https://github.com/open-policy-agent/gatekeeper-external-data-provider.git
cd external-data-provider

# if you are not planning to establish mTLS between the provider and Gatekeeper,
# deploy the provider to a separate namespace. Otherwise, do not run the following command
# and deploy the provider to the same namespace as Gatekeeper.
export NAMESPACE=provider-system

# generate a self-signed certificate for the external data provider
./scripts/generate-tls-cert.sh

# build the image via docker buildx
make docker-buildx

# load the image into kind
make kind-load-image

# Choose one of the following ways to deploy the external data provider:

# 1. client and server auth enabled (recommended)
helm install external-data-provider charts/external-data-provider \
    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
    --namespace "${NAMESPACE:-gatekeeper-system}" --create-namespace

# 2. client auth disabled and server auth enabled
helm install external-data-provider charts/external-data-provider \
    --set clientCAFile="" \
    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
    --namespace "${NAMESPACE:-gatekeeper-system}" \
    --create-namespace

4a. Install constraint template and constraint.

kubectl apply -f validation/external-data-provider-constraint-template.yaml
kubectl apply -f validation/external-data-provider-constraint.yaml

4b. Test the external data provider by dry-running the following command:

kubectl run nginx --image=error_nginx --dry-run=server -ojson

Gatekeeper should deny the pod admission above because the image field has an error_nginx prefix.

Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-images-with-invalid-suffix] invalid response: {"errors": [["error_nginx", "error_nginx_invalid"]], "responses": [], "status_code": 200, "system_error": ""}

5a. Install Assign mutation.

kubectl apply -f mutation/external-data-provider-mutation.yaml

5b. Test the external data provider by dry-running the following command:

kubectl run nginx --image=nginx --dry-run=server -ojson

The expected JSON output should have the following image field with _valid appended by the external data provider:

"containers": [
    {
        "name": "nginx",
        "image": "nginx_valid",
        ...
    }
]
  1. Uninstall the external data provider and Gatekeeper.
kubectl delete -f validation/
kubectl delete -f mutation/
helm uninstall external-data-provider --namespace "${NAMESPACE:-gatekeeper-system}"
helm uninstall gatekeeper --namespace gatekeeper-system

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
config
pkg
utils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.