--- title: Kubernetes Gatekeeper OPA 策略约束实战 keywords: - Gatekeeper - OPA - ConstraintTemplate - Constraints - 策略 description: 使用 Gatekeeper 通过 OPA Rego 定义与应用策略约束,示例禁止镜像使用 latest 标签并匹配 Pod。 categories: - 文章资讯 - 技术教程 --- # Kubernetes Gatekeeper OPA 策略约束实战 ## ConstraintTemplate ```yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sdisallowlatest spec: crd: spec: names: kind: K8sDisallowLatest targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sdisallowlatest violation[{ "msg": msg, "details": {}}] { input.review.kind.kind == "Pod" some i container := input.review.object.spec.containers[i] endswith(container.image, ":latest") msg := sprintf("image %s uses tag latest", [container.image]) } ``` ## Constraint ```yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowLatest metadata: name: disallow-latest spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] ``` ## 验证 - 应用模板与约束后,创建含 `:latest` 的 Pod 将被拒绝 ## 总结 Gatekeeper 能为集群提供可审计、可组合的策略约束,提升安全与一致性。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复