【问题标题】:Restrict Ingress/Egress CIDR Ranges – OPA Gatekeeper NetworkPolicy限制入口/出口 CIDR 范围 – OPA Gatekeeper NetworkPolicy
【发布时间】:2021-10-04 03:36:12
【问题描述】:

我正在尝试通过 OPA 网守网络策略部署一些限制入口/出口 CIDR 范围。

首先我必须创建constrainttemplate,它将对任何 IP 或 IP CIDR 范围应用任何类型的入口/出口访问权限,但以下 yaml 文件允许的范围除外:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenyegress
spec:
  crd:
    spec:
      names:
        kind: K8sDenyEgress
      validation:
          openAPIV3Schema:
                  properties:
                        cidr:
                                type: array
                                items:
                                        type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenyegress 
        violation [{"msg": msg}] {
            input.review.object.kind == "NetworkPolicy"
            cidr_or_ip :=  { ip | ip := input.review.object.spec.egress[_].to[_].ipBlock.cidr}
            cidr := { ip | ip := input.parameters.cidr[_]}
            value := net.cidr_contains(cidr, cidr_or_ip)
            not(value)
            msg := "The specified IP is not allowed."
        }
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyEgress
metadata:
  name: deny-egress
spec:
  match:
    kinds:
      - apiGroups: ["networking.k8s.io"]
        kinds: ["NetworkPolicy"]
  parameters:
          cidr:
              - "192.168.0.1/24"

部署后出现以下错误:

Target:  admission.k8s.gatekeeper.sh
Status:
  By Pod:
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any], set[any], ???)
                          want: (string, string, boolean)
    Id:                   gatekeeper-audit-54c9759898-xxdmd
    Observed Generation:  1
    Operations:
      audit
      status
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any], set[any], ???)
                          want: (string, string, boolean)
    Id:                   gatekeeper-controller-manager-6bcc7f8fb5-fjbfq
    Observed Generation:  1
    Operations:
      webhook
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any], set[any], ???)
                          want: (string, string, boolean)
    Id:                   gatekeeper-controller-manager-6bcc7f8fb5-gwhrl
    Observed Generation:  1
    Operations:
webhook
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any], set[any], ???)
                          want: (string, string, boolean)
    Id:                   gatekeeper-controller-manager-6bcc7f8fb5-sc67f
    Observed Generation:  1
    Operations:
      webhook
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
  Created:         true
Events:            <none>

您能帮忙解决这个错误吗?

【问题讨论】:

    标签: kubernetes kubernetes-networkpolicy open-policy-agent


    【解决方案1】:

    函数cidr_contains不接受sets作为参数,见documentation。我改用函数cidr_contains_matches 如下:

    apiVersion: templates.gatekeeper.sh/v1beta1
    kind: ConstraintTemplate
    metadata:
      name: k8sdenyegress
    spec:
      crd:
        spec:
          names:
            kind: K8sDenyEgress
          validation:
            openAPIV3Schema:
              properties:
                cidr:
                  type: array
                  items:
                    type: string
      targets:
        - target: admission.k8s.gatekeeper.sh
          rego: |
            package k8sdenyegress 
            violation [{"msg": msg}] {
                input.review.object.kind == "NetworkPolicy"
                egress_cidrs :=  { cidr | cidr := input.review.object.spec.egress[_].to[_].ipBlock.cidr}
                whitelist_cidrs := { cidr | cidr := input.parameters.cidr[_]}
                matches := net.cidr_contains_matches(whitelist_cidrs, egress_cidrs)
                matched := { cidr | cidr := matches[_][1]}
                not_matched := egress_cidrs - matched
                count(not_matched) > 0
                msg := sprintf("The network policy '%s' contains egress cidrs that are not contained in whitelist: %s", [input.review.object.metadata.name, not_matched])
            }
    

    对于那些想知道如何检查错误的人:

    kubectl describe constrainttemplate.templates.gatekeeper.sh/k8sdenyegress

    【讨论】:

      猜你喜欢
      • 2021-05-31
      • 2020-08-15
      • 2014-05-15
      • 1970-01-01
      • 2019-06-23
      • 2018-05-05
      • 1970-01-01
      • 1970-01-01
      • 2020-10-19
      相关资源
      最近更新 更多