Closed DorB-P closed 7 months ago
Few notes from current kube-mgmt
spare time maintainer
kube-mgmt
is to use Helm chart that is covered with e2e tests, that are executed on each release.Thanks @eshepelyuk, I missed that helm! I'll try use it as soon as I can and update the issue if fixed. It does look like the tutorial is being maintained on OPA side (opa latest version), maybe not, who knows.
regarding Gatekeeper - I am also playing with that project atm, but the functionalities I require are so much harder to implement. AFAICT:
Decision logs
(with logDenies
option) are currently only streamed to the gatekeeper's pods stdout
, and I need those, so I must have my own app in cluster to monitor and collect them (and send to my remote server).
Those Gatekeeper Audit logs
are not what I look for...Bundle API
Ideology, perfect for my use-case! I wish Gatekeeper will implement something similar - maybe even a periodic kubectl apply --kustomize kustomization.yaml
where kustomization.yaml points to my personal remote library...
ATM I must a have a privileged pod that will periodically sync my remote library and apply the templates
and constraints
to the cluster. with Bundle API this was a gift!So yea, I'm trying Gatekeeper, which means I need to create an image that will do 1 and 2 for my needs.
Thanks again for the clarification, I'll keep you posted if this was fixed by latest kube-mgmt version
Regarding decision logs there is 2 possibilities
Regarding Gatekeeper, I can't advice myself, but looks like it has bigger community and get more attention, so you can also ask for help in their github or slack.
Closing for now. Will re-open if I see this happens with newer kube-mgmt
Description:
Kube-mgmt attempts to sync ConfigMap kube-root-ca.crt from namespace OPA when applying the admission-controller.yaml from the official OPA Kubernetes Ingress Validation tutorial. Even on a clean cluster with only the OPA namespace, tls secret and the bundle-server, the following issues occur:
Expected behavior:
kubectl logs -l app=opa -c opa -f -n opa
should only show logs with "resp_status": 200 after tutorial step 6.Actual effects: Logs show a
PUT /v1/policies/opa/kube-root-ca.crt/ca.crt
request every minute with "resp_status": 400.kubectl get configmap kube-root-ca.crt -o yaml
showsopenpolicyagent.org/policy-status
annotations:Steps to Reproduce:
Follow the tutorial until step 6 and run the following, give it a minute:
Environment: