I can't understand why i am able to create the pod in test.yaml file in *default . . .

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
i can’t understand why i am able to create the pod in test.yaml file in default namespace and not in dev namespace

kodekloud · June 2, 2021, 1:03pm

Mohamed Ayman:
The problem in the yaml file was about the image name not the namespace so once you fix it as below, you can run the apply command to create the pod in the dev namespace as required

kind: Pod
apiVersion: v1
metadata:
name: test
spec:
containers:

image: http://hooli.com/nginx|hooli.com/nginx
name: nginx-frontend
image: http://hooli.com/mysql|hooli.com/mysql
name: mysql-backend

$ kubectl apply -n dev -f /root/test.yaml

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
i am aware about the fix

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
but even before applying that fix

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
applying the test.yaml in default ( opa ) namespace is succefull

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
applying with -n dev does not work

kodekloud · June 2, 2021, 1:03pm

Mohamed Ayman:
If you check those rego files, you will find which ressources are denied

kodekloud · June 2, 2021, 1:03pm

Mohamed Ayman:
package kubernetes.admission

deny[msg] {
input.request.kind.kind == “Pod”
image := input.request.object.spec.containers[_].image
not startswith(image, “http://hooli.com/|hooli.com/”)
msg := sprintf(“image ‘%v’ comes from untrusted registry”, [image])
}
root@controlplane:~# cat /root/unique-host.rego
package kubernetes.admission
import data.kubernetes.ingresses

deny[msg] {
some other_ns, other_ingress
input.request.kind.kind == “Ingress”
input.request.operation == “CREATE”
host := input.request.object.spec.rules[].host
ingress := ingresses[other_ns][other_ingress]
other_ns != input.request.namespace
ingress.spec.rules[].host == host
msg := sprintf(“invalid ingress host %q (conflicts with %v/%v)”, [host, other_ns, other_ingress])
}

kodekloud · June 2, 2021, 1:03pm

Mohamed Ayman:
Then, the invalid are the other namespaces but if they are having images starting with « http://hooli.com|hooli.com » they will not match this rule then will successfully be created

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
is this applied only for Ingress Object ?

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
or it spans also for Pod ?

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
So i found the solution

kodekloud · June 2, 2021, 1:03pm

Nabil z.:
in fact, if i create the pod in the default namesapce ( opa ), the rule won’t be enforced because the namespace opa has the label

<http://openpolicyagent.org/webhook|openpolicyagent.org/webhook>: ignore

apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2021-06-01T13:10:10Z"
  labels:
    <http://openpolicyagent.org/webhook|openpolicyagent.org/webhook>: ignore