本文档采用自动化机器翻译技术翻译。 尽管我们力求提供准确的译文,但不对翻译内容的完整性、准确性或可靠性作出任何保证。 若出现任何内容不一致情况,请以原始 英文 版本为准,且原始英文版本为权威文本。

这是尚未发布的文档。 Admission Controller 1.34-dev.

分发带有SUSE Security Admission Controller的Gatekeeper策略

策略必须被注释才能被推送,并最终由Kubernetes集群中的SUSE Security Admission Controller `policy-server`执行。

注释和分发Gatekeeper策略类似于分发Open Policy Agent策略。

注释策略

您将在策略目录中编写一个`metadata.yaml`文件,内容为:

rules:
- apiGroups: [""]
  apiVersions: ["*"]
  resources: ["*"]
  operations: ["CREATE"]
mutating: false
contextAware: false
executionMode: gatekeeper
annotations:
  io.kubewarden.policy.title: no-default-namespace
  io.kubewarden.policy.version: 0.1.0 # should match the OCI tag
  io.kubewarden.policy.description: This policy will reject any resource created inside the default namespace
  io.kubewarden.policy.author: The Admission Controller Authors
  io.kubewarden.policy.url: https://github.com/kubewarden/some-policy
  io.kubewarden.policy.source: https://github.com/kubewarden/some-policy
  io.kubewarden.policy.license: Apache-2.0
  io.kubewarden.policy.usage: |
      This policy is just an example.

      You can write interesting descriptions about the policy here.

您可以看到一切与Open Policy Agent版本的元数据相同,除了`executionMode: gatekeeper`部分。

继续注释策略:

$ kwctl annotate policy.wasm --metadata-path metadata.yaml --output-path annotated-policy.wasm

推送策略

将您的策略推送到OCI注册表:

$ kwctl push annotated-policy.wasm registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1
Policy successfully pushed

在Kubernetes上部署

您必须先将策略拉取到您的`kwctl`本地存储:

$ kwctl pull registry://registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1
pulling policy...

您现在可以创建一个脚手架`ClusterAdmissionPolicy`资源:

$ kwctl scaffold manifest registry://registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1 --type ClusterAdmissionPolicy
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: generated-policy
spec:
  module: "registry://registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1"
  settings: {}
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - "*"
      resources:
        - "*"
      operations:
        - CREATE
  mutating: false

现在使用这个`ClusterAdmissionPolicy`资源将您的策略部署到Kubernetes集群。