A repository for using Archivista as a data provider for Gatekeeper.
-
Create a kind cluster.
-
Install the latest version of Gatekeeper and enable the external data feature.
# Add the Gatekeeper Helm repository
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
# Install the latest version of Gatekeeper with the external data feature enabled.
helm install gatekeeper/gatekeeper \
--set enableExternalData=true \
--name-template=gatekeeper \
--namespace gatekeeper-system \
--create-namespace
- Build and deploy the archivista data provider.
git clone https://github.com/testifysec/archivista-data-provider.git
cd archivista-data-provider
# generate a self-signed certificate for the archivista data provider
./scripts/generate-tls-cert.sh
# build the image via docker buildx
make docker-buildx
# load the image into kind
make kind-load-image
# Install archivista data provider into gatekeeper-system to use mTLS
helm install archivista-data-provider charts/archivista-data-provider \
--set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
--namespace gatekeeper-system
4a. Install constraint template and constraint.
kubectl apply -f validation/archivista-data-provider-constraint-template.yaml
kubectl apply -f validation/archivista-data-provider-constraint.yaml
4b. Test the archivista data provider by dry-running the following command:
kubectl run nginx --image=error_nginx --dry-run=server -ojson
Gatekeeper should deny the pod admission above because the image field has an error_nginx
prefix.
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-images-with-invalid-suffix] invalid response: {"errors": [["error_nginx", "error_nginx_invalid"]], "responses": [], "status_code": 200, "system_error": ""}
5a. Install Assign mutation.
kubectl apply -f mutation/archivista-data-provider-mutation.yaml
5b. Test the archivista data provider by dry-running the following command:
kubectl run nginx --image=nginx --dry-run=server -ojson
The expected JSON output should have the following image field with _valid
appended by the archivista data provider:
"containers": [
{
"name": "nginx",
"image": "nginx_valid",
...
}
]
- Uninstall the archivista data provider and Gatekeeper.
kubectl delete -f validation/
kubectl delete -f mutation/
helm uninstall archivista-data-provider --namespace gatekeeper-system
helm uninstall gatekeeper --namespace gatekeeper-system