Rancher-Kubewarden-保姆级教学-含Demo测试-kube-apiserver Admission (v1) | Kubernetes

2024-05-10 20:40:20

                        *上面为参考文档,了解即可,具体的json文件可以用Chart-Gpt生成。

                3、下面为我们测试的json例子,保存为disallow-service-nodeport.json.

{
  "kind": "AdmissionReview",
  "apiVersion": "admission.k8s.io/v1",
  "request": {
    "uid": "12345678-1234-1234-1234-1234567890ab",
    "kind": {
      "group": "",
      "version": "v1",
      "kind": "Service"
    },
    "resource": {
      "group": "",
      "version": "v1",
      "resource": "services"
    },
    "namespace": "default",
    "operation": "CREATE",
    "userInfo": {
      "username": "user",
      "groups": ["system:masters"]
    },
    "object": {
      "kind": "Service",
      "apiVersion": "v1",
      "metadata": {
        "name": "my-service",
        "namespace": "default"
      },
      "spec": {
        "type": "NodePort",
        "ports": [
          {
            "port": 80,
            "targetPort": 80,
            "protocol": "TCP"
          }
        ]
      }
    },
    "oldObject": null
  }
}

        4、测试

 

rke2-01:~/rust # kwctl run registry://ghcr.io/kubewarden/policies/disallow-service-nodeport:v0.1.7 -r disallow-service-nodeport.json
libunwind: __unw_add_dynamic_fde: bad fde: FDE is really a CIE
{"uid":"12345678-1234-1234-1234-1234567890ab","allowed":false,"status":{"message":"Service of type NodePort are not allowed"},"auditAnnotations":null,"warnings":null}

*策略给拦截了,因为我们创建的是一个类型为NodePort的Service。

*接下来我们把这条规则部署到k8s集群中测试。

        5、编写 ClusterAdmissionPolicy or AdmissionPolicy ,我们使用AdmissionPolicy在default命名空间下测试。

vim no_Node_Port_svc.yaml

*不写policy_server字段默认为 default. 的policy-server. 

apiVersion: policies.kubewarden.io/v1alpha2
kind: AdmissionPolicy
metadata:
  name: privileged-pods
  namespace: default
spec:
  module: "registry://ghcr.io/kubewarden/policies/disallow-service-nodeport:v0.1.7"
  settings: {}
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - services
      operations:
        - CREATE
        - UPDATE
  mutating: false

部署策略。 

kubectl apply -f no_Node_Port_svc.yaml

查看验证:
 

kubectl get admissionpolicy -A

*状态为active则生效,下面开始测试。

        5、测试yaml,在default空间下,类型为NodePort

vim demo_svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: my-nodeport-service
  namespace: default
spec:
  selector:
    app: my-app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
      nodePort: 30000  # NodePort的端口号
  type: NodePort

 部署测试:

kubectl apply -f demo_svc.yaml

 

 被策略阻止了,测试成功。

清理: 

kubectl delete -f no_Node_Port_svc.yaml
kubectl get admissionpolicy -A
rke2-01:~/rust # kubectl delete -f no_Node_Port_svc.yaml
admissionpolicy.policies.kubewarden.io "privileged-pods" deleted
rke2-01:~/rust # kubectl get admissionpolicy -A
No resources found

 清理完毕后就可以创建了,确认为策略阻止了:

总结:

        1、Rancher的项目依旧能打。

        2、对于不想在pod中写security context的运维同行是福音。

        3、控制器和policy-server 分离部署,方便扩展好评。

        4、运维人员写不了策略差评,希望后期能给个python的sdk.

上一篇:【python基础】python经典题目100题-初阶题目


下一篇:详解:ic网站建设开发需要注意什么?