0

我是 opa 和 k8s 的新手,我在这个领域没有太多的知识或经验。我想在 rego 代码(opa 政策)中制定政策并执行以查看结果。以下示例是:

  1. 始终拉取图像 - 确保每个容器都将其“imagePullPolicy”设置为“始终”</li>
  2. 检查 Liveness Probe - 确保每个容器都设置 livenessProbe
  3. 检查 Readiness Probe - 确保每个容器都设置了 readinessProbe

对于以下内容,我想要一个 opa 政策:

1.总是拉图像:

apiVersion: v1
kind: Pod
metadata:
  name: test-image-pull-policy
spec:
  containers:
    - name: nginx
      image: nginx:1.13
      imagePullPolicy: IfNotPresent

2.检查活性探针

3.检查就绪探针

containers:
- name: opa
  image: openpolicyagent/opa:latest
  ports:
  - name: http
    containerPort: 8181
  args:
  - "run"
  - "--ignore=.*"            # exclude hidden dirs created by Kubernetes
  - "--server"
  - "/policies"
  volumeMounts:
  - readOnly: true
    mountPath: /policies
    name: example-policy
  livenessProbe:
    httpGet:
      scheme: HTTP           # assumes OPA listens on localhost:8181
      port: 8181
    initialDelaySeconds: 5   # tune these periods for your environemnt
    periodSeconds: 5
  readinessProbe:
    httpGet:
      path: /health?bundle=true  # Include bundle activation in readiness
      scheme: HTTP
      port: 8181
    initialDelaySeconds: 5
    periodSeconds: 5

有没有办法为上述条件创建 opa 策略。任何人都可以提供帮助,因为我是 opa 的新手。提前致谢。

4

2 回答 2

1

对于 liveness 和 readiness 探测检查,您可以简单地测试这些字段是否已定义:

package kubernetes.admission

deny["container is missing livenessProbe"] {
  container := input_container[_]
  not container.livenessProbe
}

deny["container is missing readinessProbe"] {
  container := input_container[_]
  not container.readinessProbe
}

input_container[container] {
  container := input.request.object.spec.containers[_]
}
于 2019-08-16T13:43:49.673 回答
0 
#Always Pull Images 

package kubernetes.admission

deny[msg] {
        input.request.kind.kind = "Pod"
        container = input.request.object.spec.containers[_]
        container.imagePullPolicy != "Always"
        msg = sprintf("Forbidden imagePullPolicy value \"%v\"", [container.imagePullPolicy])
}
于 2019-08-05T15:30:56.537 回答