Skip to content

Test of working in a codespace#4

Open
Madib036 wants to merge 1 commit intomainfrom
check-writing-process
Open

Test of working in a codespace#4
Madib036 wants to merge 1 commit intomainfrom
check-writing-process

Conversation

@Madib036
Copy link
Copy Markdown
Collaborator

@Madib036 Madib036 commented Sep 14, 2024
edited
Loading

Why:

Closes:

What's being changed (if available, include any code snippets, screenshots, or gifs):

Check off the following:

  • I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).

    • For content changes, you will also see an automatically generated comment with links directly to pages you've modified. The comment won't appear if your PR only edits files in the data directory.

  • For content changes, I have completed the self-review checklist.

@Madib036 Madib036 enabled auto-merge September 17, 2024 21:11
@Madib036 Madib036 disabled auto-merge September 17, 2024 21:11
@Madib036 Madib036 enabled auto-merge September 17, 2024 21:12
@Madib036 Madib036 disabled auto-merge September 17, 2024 21:13
@Madib036 Madib036 enabled auto-merge (rebase) September 17, 2024 21:13
@Madib036 Madib036 disabled auto-merge September 17, 2024 21:13
@Madib036 Madib036 enabled auto-merge January 30, 2025 12:05
@Madib036 Madib036 disabled auto-merge January 30, 2025 12:05
@Madib036 Madib036 enabled auto-merge (squash) January 30, 2025 12:05
@Madib036 Madib036 disabled auto-merge January 30, 2025 12:05
@Madib036
Copy link
Copy Markdown
Collaborator Author

Madib036 commented Feb 11, 2025

Gatekeeper testing

This document describes how to test set up and test Gatekeeper manually.
It describes how to install Gatekeeper using the gatekeeper-operator, setting up some basic mutations and how to validatate the mutations are applied correctly.

Gatekeeper setup

The Gatekeeper operator can be installed by running the following command in the root of the cnf-features-deploy repo:

FEATURES=gatekeeper make feature-deploy

Once the operator is running, set up a Gatekeeper instance by running the following command:

cat << EOF | oc create -f -
apiVersion: operator.gatekeeper.sh/v1alpha1
kind: Gatekeeper
metadata:
  name: gatekeeper
spec:
  audit:
    replicas: 1
  mutatingWebhook: "Enabled"
  webhook:
    failurePolicy: "Ignore"
EOF

Check if the gatekeeper deployments are running by executing the following command:

oc get deployment -n gatekeeper-system

The output should show the following deployments to be ready:

  • gatekeeper-audit
  • gatekeeper-controller-manager

for example:

NAME                                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/gatekeeper-audit                         1/1     1            1           12s
deployment.apps/gatekeeper-controller-manager            1/1     1            1           12s

Testing Gatekeeper constraints

Sample constraint templates and constraints can be found in feature-configs/demo/gatekeeper.

To apply these please run:

oc create -f feature-configs/demo/gatekeeper/00_ConstraintTemplates.yaml
oc create -f feature-configs/demo/gatekeeper/10_Constraints.yaml

"NOTE:" please wait a few seconds between the commands to allow gatekeeper to process them.

With the constraints in place, create some pods to validate that the constraints are applied properly.
To restrict the effect of the validation on the cluster, the constraints are only valid for namespaces having a admission.gatekeeper.sh/tolerations: "enforce" label.

Create such a namespace by executing:

oc create -f feature-configs/demo/gatekeeper/20_DemoNamespace.yaml

Create a basic pod passing validation

Create the following pod:

cat << EOF | oc create -f -
apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
  - name: main
    image: centos
    command: ["/bin/bash", "-c", "sleep INF"]
EOF

The pod should be created successfully.

Create a pod failing validation

Create the following pods:

Pod with a specific toleration
cat << EOF | oc create -f -
apiVersion: v1
kind: Pod
metadata:
  name: pod2
  namespace: gatekeeper-demo
spec:
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  containers:
  - name: main
    image: centos
    command: ["/bin/bash", "-c", "sleep INF"]
EOF

Gatekeeper will reject this pod with a message similar to the one below:

Error from server ([deny-master-no-schedule-toleration] Toleration is not allowed for taint {"effect": "NoSchedule", "key": "node-role.kubernetes.io/master", "value": "true"}): error when creating "STDIN": admission webhook "validation.gatekeeper.sh" denied the request: [deny-master-no-schedule-toleration] Toleration is not allowed for taint {"effect": "NoSchedule", "key": "node-role.kubernetes.io/master", "value": "true"}

This pod was rejected by the deny-master-no-schedule-toleration constraint of type k8srestrictspecifictoleration.constraints.gatekeeper.sh

Pod with a global taint
cat << EOF | oc create -f -
apiVersion: v1
kind: Pod
metadata:
  name: pod4
  namespace: gatekeeper-demo
spec:
  tolerations:
  - operator: "Exists"
  containers:
  - name: podexample
    image: centos
    command: ["/bin/bash", "-c", "sleep INF"]
EOF

Gatekeeper will reject this pod with a message similar to the one below:

The Pod "pod4" is invalid: spec.tolerations: Forbidden: existing toleration can not be modified except its tolerationSeconds

This pod was rejected by the deny-global-tolerations constraint of type k8srestrictglobaltoleration.constraints.gatekeeper.sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Madib036 @hubwriter