如何解决限制入口/出口 CIDR 范围 – OPA Gatekeeper NetworkPolicy
我正在尝试通过 OPA 网守网络策略部署一些限制入口/出口 CIDR 范围。 因此,首先我必须创建约束模板,它将对任何 IP 或 IP CIDR 范围应用任何类型的入口/出口访问权限,但以下 yaml 文件允许的范围除外:
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
Metadata:
name: k8sdenyegress
spec:
crd:
spec:
names:
kind: K8sDenyEgress
validation:
openAPIV3Schema:
properties:
cidr:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sdenyegress
violation [{"msg": msg}] {
input.review.object.kind == "NetworkPolicy"
cidr_or_ip := { ip | ip := input.review.object.spec.egress[_].to[_].ipBlock.cidr}
cidr := { ip | ip := input.parameters.cidr[_]}
value := net.cidr_contains(cidr,cidr_or_ip)
not(value)
msg := "The specified IP is not allowed."
}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyEgress
Metadata:
name: deny-egress
spec:
match:
kinds:
- apiGroups: ["networking.k8s.io"]
kinds: ["NetworkPolicy"]
parameters:
cidr:
- "192.168.0.1/24"
一旦部署出现以下错误:
Target: admission.k8s.gatekeeper.sh
Status:
By Pod:
Errors:
Code: ingest_error
Message: Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
have: (set[any],set[any],???)
want: (string,string,boolean)
Id: gatekeeper-audit-54c9759898-xxdmd
Observed Generation: 1
Operations:
audit
status
Template UID: f29e2dd0-5918-48a7-b943-23f36b91690f
Errors:
Code: ingest_error
Message: Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
have: (set[any],boolean)
Id: gatekeeper-controller-manager-6bcc7f8fb5-fjbfq
Observed Generation: 1
Operations:
webhook
Template UID: f29e2dd0-5918-48a7-b943-23f36b91690f
Errors:
Code: ingest_error
Message: Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
have: (set[any],boolean)
Id: gatekeeper-controller-manager-6bcc7f8fb5-gwhrl
Observed Generation: 1
Operations:
webhook
Template UID: f29e2dd0-5918-48a7-b943-23f36b91690f
Errors:
Code: ingest_error
Message: Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
have: (set[any],boolean)
Id: gatekeeper-controller-manager-6bcc7f8fb5-sc67f
Observed Generation: 1
Operations:
webhook
Template UID: f29e2dd0-5918-48a7-b943-23f36b91690f
Created: true
Events: <none>
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
