// Develop and maintain private OpenStack cloud. Develop and maintain Kubernetes as a Service platform. CKA / CKAD / CKS Job Title // Technical Lead Infrastructure Engineer WHO am I Twitter // @makocchi Facebook // makocchi0923 Hobby // Playing bass
templatesがあるのか というわけで早速違反してみましょう👿 ⏩ のような hostPath を “readOnly: false” にした yaml を 適用しようとすると・・・ ちゃんと怒られる! $ kubectl apply -f busybox_with_hostpath_write.yaml Error from server ([denied by autogke-no-write-mode-hostpath] hostPath volume log-volume in container busybox is accessed in write mode; disallowed in Autopilot. Requesting user: <[email protected]> and groups: <["system:authenticated"]>): error when creating "busybox_with_hostpath_write.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-no-write-mode-hostpath] hostPath volume log- volume in container busybox is accessed in write mode; disallowed in Autopilot. Requesting user: <[email protected]> and groups: <["system:authenticated"]>
templatesがあるのか いろいろエラーメッセージに出てきますが、ここで重要なのは “denied by autogke-no-write-mode- hostpath” という部分とその後の実際の内容です つまりどこかで定義されている “autogke-no-write-mode-hostpath” のポリシーによって弾かれたことになり ます $ kubectl apply -f busybox_with_hostpath_write.yaml Error from server ([denied by autogke-no-write-mode-hostpath] hostPath volume log-volume in container busybox is accessed in write mode; disallowed in Autopilot. Requesting user: <[email protected]> and groups: <["system:authenticated"]>): error when creating "busybox_with_hostpath_write.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-no-write-mode-hostpath] hostPath volume log- volume in container busybox is accessed in write mode; disallowed in Autopilot. Requesting user: <[email protected]> and groups: <["system:authenticated"]>
templatesがあるのか “readOnly: false” の時とは違ったエラーメッセージが出てきますが、ポリシーは autogke-no-write-mode- hostpath で同じですね $ kubectl apply -f busybox_with_hostpath_read_tmp.yaml Error from server ([denied by autogke-no-write-mode-hostpath] hostPath volume tmp-volume used in container busybox uses path /var/tmp which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: ["/var/ log/"]. Requesting user: <[email protected]> and groups: <["system:authenticated"]>): error when creating "busybox_with_hostpath_read_tmp.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-no-write-mode-hostpath] hostPath volume tmp-volume used in container busybox uses path /var/tmp which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: ["/var/log/"]. Requesting user: <[email protected]> and groups: <["system:authenticated"]>
試しに消そうとしてみた👿 $ kubectl delete crd autogkehostpathvolumes.constraints.gatekeeper.sh Error from server ([denied by autogke-policy-crd-limitation] Operations on Policy related CRDs are not allowed in Autopilot. Requesting user: <[email protected]> and groups: <["system:authenticated"]>): admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-policy-crd-limitation] Operations on Policy related CRDs are not allowed in Autopilot. Requesting user: <[email protected]> and groups: <["system:authenticated"]> しっかりと拒否されましたね 今度は autogke-policy-crd-limitation のポリシーが適用されたというのが分かります どんな Rego が書かれているかは Constraint template の autogkepolicycrdlimitation を見てみてください
Tokyo GKE Day March 2021 FINISH ご清聴ありがとうございました!! GKE Autopilot Gatekeeper の Rego を眺めてみる All background images in this presentation are picked from pixabay.com