OPA Gatekeeper策略与准入控制实践

概述目标：以OPA Gatekeeper在集群内实施安全与规范策略，阻止不合规资源进入并进行审计报告。适用：生产集群的安全基线与规范治理、命名约束、权限限制。核心与实战ConstraintTemplate（禁止特权容器）：apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sforbidprivileged spec: crd: spec: names: kind: K8sForbidPrivileged validation: openAPIV3Schema: type: object targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sforbidprivileged violation[{ "msg": msg, "details": {}}] { input.review.kind.kind == "Pod" c := input.review.object.spec.containers[_] c.securityContext.privileged == true msg := "privileged containers are not allowed" } Constraint应用到命名空间：apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sForbidPrivileged metadata: name: forbid-privileged-pods spec: match: namespaces: ["prod"] kinds: - apiGroups: [""] kinds: ["Pod"] 示例不合规资源被拒：apiVersion: v1 kind: Pod metadata: name: bad namespace: prod spec: containers: - name: c image: alpine securityContext: privileged: true 审计结果查看：kubectl get k8sforbidprivileged -o yaml kubectl -n gatekeeper-system logs deploy/gatekeeper-audit 验证与监控安装与健康：kubectl get pods -n gatekeeper-system kubectl get constraints,constrainttemplates 例外与豁免：使用`match.excludedNamespaces`或`namespaceSelector`进行例外处理。版本治理：在GitOps中版本化模板与约束，审计变更与影响面。常见误区仅编写ConstraintTemplate而未创建Constraint导致策略未生效；需绑定约束。审计未启用或未查看审计日志；需关注`gatekeeper-audit`输出。过于宽泛的匹配导致误拒；应精准限定命名空间与资源类型。结语Gatekeeper以策略即代码实现准入控制与审计，配合GitOps可持续治理K8s资源合规与安全。