[root@localhost ~]# docker plugin list ID NAME DESCRIPTION ENABLED 8c9fc9b3e798 openpolicyagent/opa-docker-authz-v2:0.8 A policy-enabled authorization plugin for Do… true
3.编写OPA规则 修改authz.rego文件,内容如下:
package docker.authzdefault allow =falseallow {not deny }deny {seccomp_unconfined }seccomp_unconfined {# This expression asserts that the string on the right-hand side is equal# to an element in the array SecurityOpt referenced on the left-hand side.input.Body.HostConfig.SecurityOpt[_]=="seccomp:unconfined" }
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: BlacklistImages metadata:generation:1managedFields:name: pod-trusted-imagesresourceVersion:"14449" spec:match:kinds:-apiGroups:-""kinds:- Pod
最后使用yaml文件创建实例:
root@vms71:~/gatekeeper# kubectl apply -f gatekeeper-blacklist.yaml blacklistimages.constraints.gatekeeper.sh/pod-trusted-images created root@vms71:~/gatekeeper# kubectl get BlacklistImages NAME AGE pod-trusted-images 30s
docker tag nginx:latest xx.163.com/library/nginx docker tag nginx:latest yy.163.com/library/nginx docker tag nginx:latest zz.163.com/library/nginx
查看是否成功:
root@vms72:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE xx.163.com/library/nginx latest ea335eea17ab 4 weeks ago 141MB yy.163.com/library/nginx latest ea335eea17ab 4 weeks ago 141MB zz.163.com/library/nginx latest ea335eea17ab 4 weeks ago 141MB
然后我们在master node上分别通过这三个镜像创建pod,查看是否能够成功。
root@vms71:~/gatekeeper# kubectl run web1 --image=xx.163.com/library/nginx --image-pull-policy=IfNotPresent Error from server ([pod-trusted-images] not trusted image!): admission webhook "validation.gatekeeper.sh" denied the request: [pod-trusted-images] not trusted image! root@vms71:~/gatekeeper# kubectl run web1 --image=yy.163.com/library/nginx --image-pull-policy=IfNotPresent Error from server ([pod-trusted-images] not trusted image!): admission webhook "validation.gatekeeper.sh" denied the request: [pod-trusted-images] not trusted image!
可以看到,当我们使用xx.163.com/library/nginx和yy.163.com/library/nginx 镜像创建pod时,都会出现OPA规则报错: [pod-trusted-images] not trusted image!。当我们使用zz.163.com/library/nginx时,则可以正常创建pod:
root@vms71:~/gatekeeper# kubectl run web1 --image=zz.163.com/library/nginx --image-pull-policy=IfNotPresent pod/web1 created root@vms71:~/gatekeeper# kubectl get pod web1 NAME READY STATUS RESTARTS AGE web1 1/1 Running 0 10s