Nabil z.:
i can’t understand why i am able to create the pod in test.yaml file in default namespace and not in dev namespace
Mohamed Ayman:
The problem in the yaml file was about the image name not the namespace so once you fix it as below, you can run the apply command to create the pod in the dev namespace as required
kind: Pod
apiVersion: v1
metadata:
name: test
spec:
containers:
- image: http://hooli.com/nginx|hooli.com/nginx
name: nginx-frontend - image: http://hooli.com/mysql|hooli.com/mysql
name: mysql-backend
$ kubectl apply -n dev -f /root/test.yaml
Nabil z.:
i am aware about the fix
Nabil z.:
but even before applying that fix
Nabil z.:
applying the test.yaml in default ( opa ) namespace is succefull
Nabil z.:
applying with -n dev does not work
Mohamed Ayman:
If you check those rego files, you will find which ressources are denied
Mohamed Ayman:
package kubernetes.admission
deny[msg] {
input.request.kind.kind == “Pod”
image := input.request.object.spec.containers[_].image
not startswith(image, “http://hooli.com/|hooli.com/”)
msg := sprintf(“image ‘%v’ comes from untrusted registry”, [image])
}
root@controlplane:~# cat /root/unique-host.rego
package kubernetes.admission
import data.kubernetes.ingresses
deny[msg] {
some other_ns, other_ingress
input.request.kind.kind == “Ingress”
input.request.operation == “CREATE”
host := input.request.object.spec.rules[].host
ingress := ingresses[other_ns][other_ingress]
other_ns != input.request.namespace
ingress.spec.rules[].host == host
msg := sprintf(“invalid ingress host %q (conflicts with %v/%v)”, [host, other_ns, other_ingress])
}
Mohamed Ayman:
Then, the invalid are the other namespaces but if they are having images starting with « http://hooli.com|hooli.com » they will not match this rule then will successfully be created
Nabil z.:
is this applied only for Ingress Object ?
Nabil z.:
or it spans also for Pod ?
Nabil z.:
So i found the solution
Nabil z.:
in fact, if i create the pod in the default namesapce ( opa ), the rule won’t be enforced because the namespace opa has the label
<http://openpolicyagent.org/webhook|openpolicyagent.org/webhook>: ignore
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2021-06-01T13:10:10Z"
labels:
<http://openpolicyagent.org/webhook|openpolicyagent.org/webhook>: ignore