*上面为参考文档,了解即可,具体的json文件可以用Chart-Gpt生成。
3、下面为我们测试的json例子,保存为disallow-service-nodeport.json.
{
"kind": "AdmissionReview",
"apiVersion": "admission.k8s.io/v1",
"request": {
"uid": "12345678-1234-1234-1234-1234567890ab",
"kind": {
"group": "",
"version": "v1",
"kind": "Service"
},
"resource": {
"group": "",
"version": "v1",
"resource": "services"
},
"namespace": "default",
"operation": "CREATE",
"userInfo": {
"username": "user",
"groups": ["system:masters"]
},
"object": {
"kind": "Service",
"apiVersion": "v1",
"metadata": {
"name": "my-service",
"namespace": "default"
},
"spec": {
"type": "NodePort",
"ports": [
{
"port": 80,
"targetPort": 80,
"protocol": "TCP"
}
]
}
},
"oldObject": null
}
}
4、测试
rke2-01:~/rust # kwctl run registry://ghcr.io/kubewarden/policies/disallow-service-nodeport:v0.1.7 -r disallow-service-nodeport.json
libunwind: __unw_add_dynamic_fde: bad fde: FDE is really a CIE
{"uid":"12345678-1234-1234-1234-1234567890ab","allowed":false,"status":{"message":"Service of type NodePort are not allowed"},"auditAnnotations":null,"warnings":null}
*策略给拦截了,因为我们创建的是一个类型为NodePort的Service。
*接下来我们把这条规则部署到k8s集群中测试。
5、编写 ClusterAdmissionPolicy or AdmissionPolicy ,我们使用AdmissionPolicy在default命名空间下测试。
vim no_Node_Port_svc.yaml
*不写policy_server字段默认为 default. 的policy-server.
apiVersion: policies.kubewarden.io/v1alpha2
kind: AdmissionPolicy
metadata:
name: privileged-pods
namespace: default
spec:
module: "registry://ghcr.io/kubewarden/policies/disallow-service-nodeport:v0.1.7"
settings: {}
rules:
- apiGroups:
- ""
apiVersions:
- v1
resources:
- services
operations:
- CREATE
- UPDATE
mutating: false
部署策略。
kubectl apply -f no_Node_Port_svc.yaml
查看验证:
kubectl get admissionpolicy -A
*状态为active则生效,下面开始测试。
5、测试yaml,在default空间下,类型为NodePort
vim demo_svc.yaml
apiVersion: v1
kind: Service
metadata:
name: my-nodeport-service
namespace: default
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 8080
nodePort: 30000 # NodePort的端口号
type: NodePort
部署测试:
kubectl apply -f demo_svc.yaml
被策略阻止了,测试成功。
清理:
kubectl delete -f no_Node_Port_svc.yaml
kubectl get admissionpolicy -A
rke2-01:~/rust # kubectl delete -f no_Node_Port_svc.yaml
admissionpolicy.policies.kubewarden.io "privileged-pods" deleted
rke2-01:~/rust # kubectl get admissionpolicy -A
No resources found
清理完毕后就可以创建了,确认为策略阻止了:
总结:
1、Rancher的项目依旧能打。
2、对于不想在pod中写security context的运维同行是福音。
3、控制器和policy-server 分离部署,方便扩展好评。
4、运维人员写不了策略差评,希望后期能给个python的sdk.