堆栈内存溢出
  简体   繁体   English

OPA 通过 Kubernetes 集群请求

[英]requests through the Kubernetes cluster by OPA

 原文  2020-06-05 15:21:53       kubernetes/ namespaces/ google-kubernetes-engine/ kubernetes-pod/ open-policy-agent

问题描述

I want to use OPA(Open Policy Agent) in kubernetes but have some questions which are not still clear for me:我想在 kubernetes 中使用 OPA(开放策略代理),但有一些问题我还不清楚:

Let's take a look at a specific case together: for instance, there is a pod creation in a namespace and we can know the namespace from the pod object at OPA.我们一起来看一个具体的案例:比如在一个命名空间中创建了一个 pod,我们可以从 OPA 的 pod object 中知道命名空间。 But, can we get the namespace object separately to learn the authority which this namespace belongs to?但是,我们可以单独获取命名空间 object 来了解这个命名空间所属的权限吗?

More explicitly, I mean can we do requests through the Kubernetes cluster by OPA?更明确地说,我的意思是我们可以通过 OPA 通过 Kubernetes 集群进行请求吗?

for instance, there is a pod creation with the name of Test.例如,有一个名为 Test 的 pod 创建。 I just want to allow this creation for only an authority called TestAuthority.我只想允许这个创建只用于一个名为 TestAuthority 的权限。 When the pod is created, we know the namespace data but not the authority.创建 Pod 时,我们知道命名空间数据,但不知道权限。 To figure out the authority which this pod belongs to, I need to have the namespace object and look out its labels.为了弄清楚这个 pod 所属的权限,我需要有命名空间 object 并查看它的标签。 Can we do so by OPA?我们可以通过 OPA 这样做吗?

Additionally, can we say allow pod creation with the names of Test1, Test2, and Test3?此外,我们是否可以说允许使用 Test1、Test2 和 Test3 的名称创建 pod? So, any pod creation with the name of Test4 should be denied.因此,应该拒绝任何名称为 Test4 的 pod 创建。

Thank you in advance for your help预先感谢您的帮助

1 个解决方案

解决方案1
 1 已采纳  2020-06-05 18:40:16

(1) Yes, see https://github.com/open-policy-agent/kube-mgmt#caching or https://github.com/open-policy-agent/gatekeeper#replicating-data depending on which integration you are wanting to use. (1) 是的,请参阅https://github.com/open-policy-agent/kube-mgmt#cachinghttps://github.com/open-policy-agent/gatekeeper#replicating-data取决于您的集成想用。 Both allow replicating objects from kubernetes into OPA to reference in the policies.两者都允许将对象从 kubernetes 复制到 OPA 以在策略中引用。

(2) Yes, you can write policies like that. (2) 是的,您可以编写这样的策略。

credit:Patrick East answered from OPA Slack信用:Patrick East 从 OPA Slack 回答

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 GKE上的联合Kubernetes集群中的HPA +集群自动缩放器+ OPA - HPA + Cluster Autoscaler + OPA within Federated Kubernetes cluster on GKE 通过 kubernetes 中的 Gatekeeper 应用 ServiceAccount 特定的 OPA 策略 - Applying ServiceAccount specific OPA policies through Gatekeeper in kubernetes 只有 1 个 pod 处理 Kubernetes 集群中的所有请求 - Only 1 pod handles all requests in Kubernetes cluster 异构集群中的 Kubernetes cpu 请求/限制 - Kubernetes cpu requests/limits in heterogeneous cluster 如何通过kubernetes集群ip访问服务? - How to access services through kubernetes cluster ip? Kubernetes - 通过 Terraform 升级 Kubernetes 集群版本 - Kubernetes - Upgrading Kubernetes-cluster version through Terraform OPA 中 kubernetes.admission 政策之间的隔离 - Isolation between kubernetes.admission policies in OPA 如何在kubernetes集群中的所有资源上执行资源限制/请求? - How to enforce Resource Limits/Requests on all resources in a kubernetes cluster? 跟踪对我的 kubernetes 集群上每个 pod 的 API 请求 - Track API requests to each pod on my kubernetes cluster 在 Kubernetes 集群内没有解决外部 DNS 请求 - No external DNS requests are being resolved inside Kubernetes cluster
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM