Torhüter Cheat Blatt

- :material-content-copy: **Kopieren** -- - **Generieren Sie PDF** --

# Torwart Installation kubectl gelten -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.14/deploy/gatekeeper.yaml # Check Gatekeeper Status kubectl erhalten pods -n gatekeeper-system kubectl erhalten crd | grep gatekeeper # Beschränken Sie die Vorlage kubectl gelten -f constraint-template. Yaml # Kontraindikation erstellen kubectl gelten -f constraint. Yaml # Liste Kontraint Vorlagen kubectl erhalten constrainttemplates # Listenbeschränkungen kubectl erhält Zwänge # Constraint Details anzeigen kubectl beschreiben constraint # Vergewaltigungen prüfen kubectl erhalten

-o yaml # Gatekeeper Config kubectl erhalten config -n gatekeeper-system # Synthetische Ressourcen kubectl gelten -f sync-config.yaml # Mutationspolitik kubectl gelten -f assign-mutation. Yaml kubectl gelten -f assignmetadata-mutation. Yaml # Datenreplikation kubectl erhält Anbieter kubectl bewerben -f provider-config.yaml # Ergebnisse der Prüfung kubectl logs -n gatekeeper-system -l control-plane=audit-controller # Webhook Logs kubectl logs -n gatekeeper-system -l control-plane=controller-manager # Notfallverfahren kubectl delete validatingadmissionconfiguration gatekeeper-validating-admission-configuration kubectl patch validatingadmissionconfiguration gatekeeper-validating-admission-configuration --type='merge' -p='{"webhooks":[{"name":"validation.gatekeeper.sh","failurePolicy":"Ignore"}]} '

Installation und Inbetriebnahme

Torkeeper installieren

```bash

Install latest Gatekeeper

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.14/deploy/gatekeeper.yaml

Verify installation

kubectl get pods -n gatekeeper-system kubectl get crd | grep gatekeeper ```_

Systemstatus überprüfen

```bash

Check all Gatekeeper components

kubectl get all -n gatekeeper-system

View Gatekeeper configuration

kubectl get config -n gatekeeper-system -o yaml

Check webhook configuration

kubectl get validatingadmissionconfiguration gatekeeper-validating-admission-configuration ```_

Vorlagen einschränken

Beschränken Sie die Vorlage

```yaml

constraint-template.yaml

apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: type: object properties: labels: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels

    violation[{"msg": msg}] {
      required := input.parameters.labels
      provided := input.review.object.metadata.labels
      missing := required[_]
      not provided[missing]
      msg := sprintf("Missing required label: %v", [missing])
    }

```_

Anmelden

```bash

Apply constraint template

kubectl apply -f constraint-template.yaml

List all constraint templates

kubectl get constrainttemplates

View template details

kubectl describe constrainttemplate k8srequiredlabels ```_

Einschränkungen

Kontraindikation erstellen

```yaml

constraint.yaml

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: must-have-environment spec: match: kinds: - apiGroups: ["apps"] kinds: ["Deployment"] namespaces: ["production"] parameters: labels: ["environment", "team", "version"] ```_

Manage Constraints

```bash

Apply constraint

kubectl apply -f constraint.yaml

List all constraints

kubectl get constraints

View constraint status

kubectl get k8srequiredlabels must-have-environment -o yaml

Check violations

kubectl describe k8srequiredlabels must-have-environment ```_

Beispiele

Erforderliche Etikettenrichtlinie

```yaml apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: properties: labels: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels

    violation[{"msg": msg}] {
      required := input.parameters.labels
      provided := input.review.object.metadata.labels
      missing := required[_]
      not provided[missing]
      msg := sprintf("Missing required label: %v", [missing])
    }

```_

Ressourcenbeschränkungen Politik

```yaml apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8scontainerlimits spec: crd: spec: names: kind: K8sContainerLimits validation: properties: cpu: type: string memory: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8scontainerlimits

    violation[{"msg": msg}] {
      container := input.review.object.spec.containers[_]
      not container.resources.limits.cpu
      msg := "Container must have CPU limits"
    }

    violation[{"msg": msg}] {
      container := input.review.object.spec.containers[_]
      not container.resources.limits.memory
      msg := "Container must have memory limits"
    }

```_

Sicherheitskontexte

```yaml apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8ssecuritycontext spec: crd: spec: names: kind: K8sSecurityContext targets: - target: admission.k8s.gatekeeper.sh rego: | package k8ssecuritycontext

    violation[{"msg": msg}] {
      input.review.object.spec.securityContext.runAsRoot == true
      msg := "Containers must not run as root"
    }

    violation[{"msg": msg}] {
      container := input.review.object.spec.containers[_]
      container.securityContext.privileged == true
      msg := "Privileged containers are not allowed"
    }

```_

Konfigurationsmanagement

Sync Konfiguration

```yaml

sync-config.yaml

apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: gatekeeper-system spec: sync: syncOnly: - group: "" version: "v1" kind: "Namespace" - group: "apps" version: "v1" kind: "Deployment" validation: traces: - user: kind: group: "" version: "" kind: "*" ```_

Namespaces ausschließen

yaml apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: gatekeeper-system spec: match: - excludedNamespaces: ["kube-system", "gatekeeper-system"] processes: ["*"]_

Mutationspolitik

Zuordnen Mutation

```yaml

assign-mutation.yaml

apiVersion: mutations.gatekeeper.sh/v1alpha1 kind: Assign metadata: name: add-security-label spec: applyTo: - groups: ["apps"] kinds: ["Deployment"] versions: ["v1"] match: scope: Namespaced kinds: - apiGroups: ["apps"] kinds: ["Deployment"] location: "metadata.labels.security-scan" parameters: assign: value: "required" ```_

AssignMetadata Mutation

```yaml

assignmetadata-mutation.yaml

apiVersion: mutations.gatekeeper.sh/v1alpha1 kind: AssignMetadata metadata: name: add-annotation spec: match: scope: Namespaced kinds: - apiGroups: [""] kinds: ["Pod"] location: "metadata.annotations.gatekeeper" parameters: assign: value: "mutated" ```_

Datenreplikation

Konfiguration des Anbieters

```yaml

provider-config.yaml

apiVersion: externaldata.gatekeeper.sh/v1alpha1 kind: Provider metadata: name: image-scanner spec: url: https://image-scanner.example.com/scan timeout: 30 ```_

Externe Datenvorlage

```yaml apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8simagescan spec: crd: spec: names: kind: K8sImageScan targets: - target: admission.k8s.gatekeeper.sh rego: | package k8simagescan

    violation[{"msg": msg}] {
      image := input.review.object.spec.containers[_].image
      response := external_data({"provider": "image-scanner", "keys": [image]})
      response[image].vulnerabilities > 0
      msg := sprintf("Image %v has vulnerabilities", [image])
    }

```_

Überwachung und Fehlerbehebung

Vergewaltigungen prüfen

```bash

View constraint violations

kubectl get -o yaml

Check audit logs

kubectl logs -n gatekeeper-system -l control-plane=audit-controller

View webhook logs

kubectl logs -n gatekeeper-system -l control-plane=controller-manager

Check metrics

kubectl port-forward -n gatekeeper-system svc/gatekeeper-controller-manager-metrics-service 8080:8080 curl localhost:8080/metrics ```_

Politik der Debug

```bash

Test constraint template

kubectl apply --dry-run=server -f test-resource.yaml

View constraint status

kubectl describe constraint

Check template compilation

kubectl get constrainttemplate -o yaml ```_

Notfallverfahren

Deaktivieren Sie Torhüter

```bash

Disable admission webhook

kubectl delete validatingadmissionconfiguration gatekeeper-validating-admission-configuration

Set webhook to ignore failures

kubectl patch validatingadmissionconfiguration gatekeeper-validating-admission-configuration \ --type='merge' \ -p='{"webhooks":[{"name":"validation.gatekeeper.sh","failurePolicy":"Ignore"}]}' ```_

Operationen

```bash

Remove all constraints

kubectl delete constraints --all

Remove constraint templates

kubectl delete constrainttemplates --all

Restart Gatekeeper

kubectl rollout restart deployment/gatekeeper-controller-manager -n gatekeeper-system kubectl rollout restart deployment/gatekeeper-audit -n gatekeeper-system ```_

Best Practices

Politikentwicklung

Starten Sie mit Warn Durchsetzung Modus
Testpolitik in Entwicklungsumgebungen
Verwenden von beschreibenden Verstößen
Umsetzung von schrittweisen Rollout-Strategien

Leistungsoptimierung

Einschränkungsumfang mit Übereinstimmungskriterien
Verwenden Sie effiziente Rego-Politiken
Ressourcennutzung überwachen
Durchführung richtiger Cache-Strategien

Sicherheitsüberlegungen

Reguläre Aktualisierung von Gatekeeper
Überwachen von politischen Bypasss
Umsetzung der richtigen RBAC
Änderungen der Politik

<= <= <= <================================================================================= Funktion copyToClipboard(element) Id) Kegelelement = Dokument.get ElementById(element) Id); const text = element.text Inhalt navigator.clipboard.writeText(text).then(funktion() {\cHFFFF} // Erfolgsnachricht anzeigen const button = event.target; Kondensat Original Text = button.text Inhalt button.textContent = 'Copied!'; setTimeout((() => {\cHFFFF} button.textContent = original Text: }, 2000); }); }

Funktion generierenPDF() { Fenster.print(); }