Gatekeeper hello world
Context
This project goal is to explore different use cases to test gatekeeper policy behaviours.
Prerequisites
Deploying all pods from all these use cases require admin right due to restricted namespace access
use case files:
- nginx-not-privileged-pod.yaml
- nginx-privileged-pod.yaml
- nginx-microsoft-repo-ns-client.yaml
- nginx-microsoft-repo-ns-kube-system.yaml
- nginx-artifactory-repo-ns-client.yaml
- nginx-artifactory-repo-ns-kube-system.yaml
Tutorial
| Use case | Policy concerned | File | Required admin right | Command | Expected results |
|---|---|---|---|---|---|
| Pod without requesting privilege | no-privileged-container | nginx-not-privileged-pod.yaml | No | kubectl apply -f nginx-not-privileged-pod.yaml -n dev | pod/nginx-not-privileged created |
| Pod requesting privilege | no-privileged-container | nginx-privileged-pod.yaml | No | kubectl apply -f nginx-privileged-pod.yaml -n dev | Error from server (Forbidden): error when creating "nginx-privileged-pod.yaml": admission webhook "validation.gatekeeper.sh" denied the request ... |
| Deploy pod from untrusted repo and restricted namespace | containers-shall-only-use-allowed-images | nginx-microsoft-repo-ns-dev.yaml | No | kubectl apply -f nginx-microsoft-repo-ns-client.yaml -n dev | Error from server (Forbidden): error when creating "nginx-microsoft-repo-ns-dev.yaml": admission webhook "validation.gatekeeper.sh" denied the request:... |
| Deploy pod from untrusted repo and unrestricted namespace | containers-shall-only-use-allowed-images | nginx-microsoft-repo-ns-kube-system.yaml | Yes | kubectl apply -f nginx-microsoft-repo-ns-kube-system.yaml | pod/nginx-from-microsoft-repo created |
| Deploy pod from trusted repo and restricted namespace | containers-shall-only-use-allowed-images | nginx-artifactory-repo-ns-dev.yaml | No | kubectl apply -f nginx-artifactory-repo-ns-client.yaml -n dev | pod/nginx-from-artifactory-repo created |
| Deploy pod from trusted repo and unrestricted namespace | containers-shall-only-use-allowed-images | nginx-artifactory-repo-ns-kube-system.yaml | Yes | kubectl apply -f nginx-artifactory-repo-ns-kube-system.yaml | pod/nginx-from-artifactory-repo created |
Remove your test
kubectl delete pod nginx-not-privileged-pod -n dev
kubectl delete pod nginx-privileged-pod -n dev
kubectl delete pod nginx-microsoft-repo-ns-client -n dev
kubectl delete pod nginx-microsoft-repo-ns-kube-system -n kube-system
kubectl delete pod nginx-artifactory-repo-ns-client -n dev
kubectl delete pod nginx-artifactory-repo-ns-kube-system -n kube-system