search

kubewarden / kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease
https://kubewarden.io
Apache License 2.0
195 stars 33 forks source link

Kubewarden Blocking External IPS #914

Open saiben10 opened 1 month ago

saiben10 commented 1 month ago

Hello,

So up to now we used opa policies for Kubernetes--> blocking externalips, namespace owner label, need to replace with Kube warden is there any policies for externalips and replica count in Kube warden. As i don't see those in antifactory hub.

Please clarify on this.

Thanks

flavio commented 1 month ago

You can reuse your OPA/Gatekeeper policies with kubewarden. Please take a look at this section of our documentation. You will see how you can use opa cli tool to compile a .rego policy into .wasm and then use it inside of Kubewarden

saiben10 commented 1 month ago

So, need to write the policy from scratch as i am not aware of Rego. Please clarify on this

saiben10 commented 1 month ago

Hey @flavio , This was my previous opa templates and constraint templates.

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sexternalips
  annotations:
    description: "Restricts Services from containing externalIPs except those in a provided allowlist."
spec:
  crd:
    spec:
      names:
        kind: K8sExternalIPs
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            allowedIPs:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sexternalips
        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.kind.group == ""
          allowedIPs := {ip | ip := input.parameters.allowedIPs[_]}
          externalIPs := {ip | ip := input.review.object.spec.externalIPs[_]}
          forbiddenIPs := externalIPs - allowedIPs
          count(forbiddenIPs) > 0
          msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs])
        }
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips-opa
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    excludedNamespaces : ["cattle-system","calico-system","fleet-system","cattle-fleet-system","cattle-monitoring-system","kube-node-lease","kube-public","kube-system","default","ingress-nginx","cis-operator-system","cattle-pipeline","tigera-operator","cattle-impersonation-system"]
  parameters:
    allowedIPs:
      - ""

How can i convert this and I tried to install opa cli but not working to convert and should we need to push these modules in the gcr and is there any method to use. As we have 3 more other policies to convert.

Please clarify on this.

saiben10 commented 4 weeks ago

Hello, @flavio

Any inputs on this please let me know

flavio commented 4 weeks ago

You should start by using the gatekeeper-policy-template repository. Then replace the contents of policy.rego wit the Rego code you pasted above. Running make policy will produce a .wasm file. Update the metadata.yml file inside of the repo and do make annotate. You can then push the annotated wasm file to a registry and consume it like any other Kubewarden policy.

The documentation I linked previously will guide you through each step