我正在尝试从 rego 中的配置映射中获取值。
对于kube-mgmt,在部署中,我有:
- args:
- --enable-data=true
- --policies=opa-mutate
- --require-policy-label=true
- --replicate-cluster=v1/configmaps
- --replicate-cluster=v1/namespaces
- --replicate=extensions/v1beta1/ingresses
- --replicate=v1/configmaps
- --replicate=networking.k8s.io/v1beta1/ingresses
在我的配置图中,我有:
apiVersion: v1
data:
annotations.rego: |
package kubernetes.admission
import data.kubernetes
import data.kubernetes.namespaces
import data.kubernetes.configmaps
# Get configmap properties
clvars := configmaps["kube-system"].data["helm-variables"]["values.yaml"]
subnet := clvars.workerSubnets[0]
patch[p] {
ops := { "CREATE", "UPDATE" }
kinds := { "Ingress" }
ops[input.request.operation]
kinds[input.request.object.kind]
albannotations := {
"subnet": subnet,
"alb.ingress.kubernetes.io/healthcheck-path": "/healthz",
"alb.ingress.kubernetes.io/listen-ports": `[{"HTTPS": 443}]`,
"alb.ingress.kubernetes.io/target-type": "ip"
}
alb_annotations := merge_objects(annotations,albannotations)
k := pick_first("annotations", input.request.object.metadata, {"annotations": {}})
merged_annotations := merge_objects(alb_annotations, k)
p = {"op": "add", "path": "/metadata/annotations", "value": merged_annotations}
}
现在这一切都很好,如果我删除"subnet": subnet,, 意味着创建的入口会根据需要进行注释。
我尝试关注以下信息: https ://github.com/open-policy-agent/kube-mgmt
我不知道还有什么可以尝试从 configmap 中获取信息,也不知道除了重新编辑 configmap 之外如何以任何其他方式对其进行测试。
这是我的配置图的样子:
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
openpolicyagent.org/data: opa
name: helm-variables
namespace: kube-system
data:
values.yaml: |
global:
availabilityZones:
- "us-west-2a"
- "us-west-2b"
workerSubnets:
- "subnet_a"
- "subnet_b"