限制入口/出口 CIDR 范围 – OPA Gatekeeper NetworkPolicy

编程问答 2022-07-28

问题描述

我正在尝试通过 OPA 网守网络策略部署一些限制入口/出口 CIDR 范围。 因此,首先我必须创建约束模板,它将对任何 IP 或 IP CIDR 范围应用任何类型的入口/出口访问权限,但以下 yaml 文件允许的范围除外:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
Metadata:
  name: k8sdenyegress
spec:
  crd:
    spec:
      names:
        kind: K8sDenyEgress
      validation:
          openAPIV3Schema:
                  properties:
                        cidr:
                                type: array
                                items:
                                        type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenyegress 
        violation [{"msg": msg}] {
            input.review.object.kind == "NetworkPolicy"
            cidr_or_ip :=  { ip | ip := input.review.object.spec.egress[_].to[_].ipBlock.cidr}
            cidr := { ip | ip := input.parameters.cidr[_]}
            value := net.cidr_contains(cidr,cidr_or_ip)
            not(value)
            msg := "The specified IP is not allowed."
        }
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyEgress
Metadata:
  name: deny-egress
spec:
  match:
    kinds:
      - apiGroups: ["networking.k8s.io"]
        kinds: ["NetworkPolicy"]
  parameters:
          cidr:
              - "192.168.0.1/24"

一旦部署出现以下错误

Target:  admission.k8s.gatekeeper.sh
Status:
  By Pod:
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any],set[any],???)
                          want: (string,string,boolean)
    Id:                   gatekeeper-audit-54c9759898-xxdmd
    Observed Generation:  1
    Operations:
      audit
      status
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any],boolean)
    Id:                   gatekeeper-controller-manager-6bcc7f8fb5-fjbfq
    Observed Generation:  1
    Operations:
      webhook
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any],boolean)
    Id:                   gatekeeper-controller-manager-6bcc7f8fb5-gwhrl
    Observed Generation:  1
    Operations:
webhook
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
    Errors:
      Code:               ingest_error
      Message:            Could not ingest Rego: 1 error occurred: __modset_templates["admission.k8s.gatekeeper.sh"]["K8sDenyEgress"]_idx_0:7: rego_type_error: net.cidr_contains: invalid argument(s)
                          have: (set[any],boolean)
    Id:                   gatekeeper-controller-manager-6bcc7f8fb5-sc67f
    Observed Generation:  1
    Operations:
      webhook
    Template UID:  f29e2dd0-5918-48a7-b943-23f36b91690f
  Created:         true
Events:            <none>

你能帮忙解决这个错误吗。

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

kuberneteskubernetes-networkpolicyopa