gatekeeper | Kubernetes Operator to manage Dynamic Admission Controllers | SDK library
kandi X-RAY | gatekeeper Summary
kandi X-RAY | gatekeeper Summary
Gatekeeper is currently an implementation of a Kubernetes Operator for installing, configuring and managing Open Policy Agent to provide dynamic admission controllers in a cluster.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- main is the main function
- CreateCertFromCA creates a certificate from a certificate and private key
- RootCmd returns the cobra command for gatekeeper
- buildInjector builds a docker container
- CreateCertificateAuthority creates a certificate authority
- add creates a new controller
- Proxy returns the cobra command for proxy
- Get returns a gatekeeper proxy
- Policies returns the set of policies
- Reconcile is used to reconcile the admission policy
gatekeeper Key Features
gatekeeper Examples and Code Snippets
Community Discussions
Trending Discussions on gatekeeper
QUESTION
I have a stupid question about homebrew: Why are executables that I install via homebrew trusted by MacOS (gatekeeper)? i.e. after installation I can run an executable and don't get a security popup and don't have to allow an exception - why is that?
I initially thought that homebrew might sign/notarize the binaries in their CI, but looking at some random executables it doesn't look like they have a signature: spctl -a -v $(which )
.
edit: meaning executables installed from bottles (pre-compiled binaries, not source packages compiled on my local machine)
...ANSWER
Answered 2021-Jun-09 at 11:57There is no quarantining flag for a CLI app downloaded with curl. Home-brew, uses UNIX core tools to download the bottles, and thus they don't have this flag set.
Next home-brew also ad-hoc signs binaries.
Don't confuse code sign with notarisation.
Notarisation is where Apple vouches for software signed with a dev cert private key.
They cannot notarise ad-hoc signed software (like home-brew bottles) by definition.
Now when my executable is NOT notarized it terminates with "Killed: 9", regardless if there's a quarantine attribute or not.
This is happening, I would speculate because the binary here isnt ad-hoc signed. Nothing to do with notarisation.
I bet you are on Apple Silicon right?
QUESTION
I'm trying to deploy kubeflow on and OVH managed k8 cluster.
After the initial setup of the k8 cluster, I ran the following commands to install kubeflow, as suggested here:
...ANSWER
Answered 2021-Jun-07 at 12:38QUESTION
In Open Policy Agent (https://www.openpolicyagent.org/)
regarding to Kubernetes, depending which engine is used:
- Gatekeeper: https://github.com/open-policy-agent/gatekeeper
OR
- Plain OPA with kube-mgmt: https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/#how-does-it-work-with-plain-opa-and-kube-mgmt
There are different ways to define validation rules:
In Gatekeeper the
violation
is used. See sample rules here: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/generalIn plain OPA samples, the
deny
rule, see sample here: https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/#how-does-it-work-with-plain-opa-and-kube-mgmt
It seems to be the OPA constraint framework defines it as violation
:
https://github.com/open-policy-agent/frameworks/tree/master/constraint#rule-schema
So what is the exact "story" behind this, why it is not consistent between the different engines?
Notes:
This doc reflects on this: https://www.openshift.com/blog/better-kubernetes-security-with-open-policy-agent-opa-part-2
Here is mentioned how to support interoperability in the script: https://github.com/open-policy-agent/gatekeeper/issues/1168#issuecomment-794759747
https://github.com/open-policy-agent/gatekeeper/issues/168 In this issue is the migration mentioned, is just because of "dry run" support?.
ANSWER
Answered 2021-May-04 at 20:15Plain OPA has no opinion on how you choose to name your rules. Using deny
is just a convention in the tutorial. The real Kubernetes admission review response is going to look something like this:
QUESTION
I have access to a number of AWS accounts belonging to a client, and would like to set up a public certificate using DNS validation. I believe this means I also need to set up DNS too.
I have two accounts:
- dsc-staging (contains new cert, local DNS for subdomain)
- eds-staging (contains root of new subdomain)
The new cert/DNS shall be:
gatekeeper.s.aws.example.com
This is set up in account dsc-staging
. I have gone through the "DNS validation" option, and it says that it is pending. To start with there is no DNS for this name in either account, so this would eventually fail if left like that.
So, in the same account, I have created a HostedZone in Route 53, which creates default NS and SOA records.
Now, in the other account, eds-staging
, there are existing records for:
s.aws.example.internal
(NS record with four rows in a single value)s.aws.example.internal
(SOA record)
I have added the validation record in here, as a CNAME. (I am informed that it would be OK to have put the validation record in the local Route 53, but I have chosen for now to do it here).
Now, I believe that I need to inform AWS how to connect gatekeeper.s.aws.example.com
with the known internal name s.aws.example.internal
, which already exists, and is used by other things. I believe the process of connecting the two is called "delegation". I was given some instructions to take the NS records from the local account for gatekeeper.s.aws.example.com
and copy them to the parent domain s.aws.example.internal
in the other account.
However, the AWS UI in Route 53 seems to disallow adding another NS record - is it because one already exists? If so can I just add my four records under the existing four (ie. in the same record)?
I believe that if I wire up this DNS so that it is resolvable, the certificate will automatically become validate-able, and that will happen automatically. Is this assumption correct?
...ANSWER
Answered 2021-Mar-13 at 02:12I would break it down like this:
Register or transfer the domain to your AWS master billing account. This is the only account that registers domains.
In each sub account eg dev prod, create a R53 hosted zone for the top level domain provisioned in step 1. Make sure the NS servers in step 1 are assigned to the zone here. Pay close attention that they agree both on name AND number of servers - usually 4.
Create a ACM cert request for the root AND wild card domain EG example.com and *.example.com. Request DNS validation. Key here is to include the wild card. This means it will work for any host name in the domain.
In ACM, request that the service create the R53 validation DNS records for you. This is only possible if you have done step 2 in the same account.
Wait for approval. It can take a few mins, to all day. Check back every hour or so.
This process, if followed exactly, will always provide a validated ACM cert that works for any AWS supported service, for both the root domain and any subhost under it.
QUESTION
I have already compiled QEMU by myself in MacBook pro M1, and downloaded ubuntu 20.04.
When I am trying to install ubuntu by:
...ANSWER
Answered 2021-Mar-26 at 15:31Not knowing what process you have followed so far, I found two resources that may be helpful here for you..
This comment from yu3fms on a GitHub repo about QEMU on M1 discusses using brew for ARM and specific patches for QEMU to enable vhf acceleration.
And this Syonyk's Project Blog post, The Apple M1, ARM/x86 Linux Virtualization, and BOINC is a great tutorial on how to get QEMU up and running on an M1 Mac for both ARM and x86 guests.
QUESTION
I'm using ad hoc (outside App Store) distribution for my document-based app. The app is NOT sandboxed, and entitlements are set correctly:
...ANSWER
Answered 2021-Apr-11 at 20:42The problem was some remnants of old a bundle identifier. I had migrated to a sandboxed distribution of the app, and at some point in the process, I had built the sandboxed version with the same bundle identifier. macOS had registered the bundle identifier to belong to a sandboxed app and, probably due to security reasons, no longer wanted to allow it to run non-sandboxed.
I created a fresh Info.plist
, and changed the bundle identifier and the errors were gone.
QUESTION
I have a problem when trying to implement a WMS/WMTS service in mapbox. I'm using java and android studio. I managed to place the map in the right coordinates, but when I zoom in the tiles from the service duplicates and scatters on the map. It also does not scale with the rest of the map as I zoom. I first tried with WMS service, then tried with a WMTS service to se if that helped, but i get the same problem.
It looks like I don't get the new tile from the WMS/WMTS and it just puts the same map on all the sub-tiles.
I use this website to test my urls: http://trailbehind.github.io/TilejsonTester/
[Image shows when I zoom. Map of Norway shows four places in the world and does not get bigger][1]
...ANSWER
Answered 2021-Mar-27 at 12:23I think the problem is that you're specifying a bounding box with actual values in the URL, so you'll always get the same image. I've modified your URL to use a template for bbox, and it works for me in Mapbox: https://wms.geonorge.no/skwms1/wms.sjokartraster2?&service=wms&version=1.3.0&request=GetMap&bbox={bbox-epsg-3857}&transparent=true&width=512&height=512&layers=all&CRS=EPSG:3857&format=image/png
QUESTION
I have some TypeScript code that uses CDK to create an API Gateway and a Lambda. It works and deploys to a standard AWS URL. So far so good.
I now need to transfer the API Gateway so that it operates on a custom domain, so that it can set a cookie in a web app. This is proving far harder, and I suspect I am having difficulty because I am new to TypeScript, AWS, and CDK all at the same time. There are a number of documentation resources on the web, but most would require me to rewrite the precious little working code I have, which I am reluctant to do.
I have created a certificate manually, because that requires validation and thus it does not make sense to create it in code. Other than that I want all other resources to be created by CDK code in a Stack. In my view, it defeats the purpose of CDK if I have to configure things manually.
ProblemThe below code deploys everything I need to gatekeeper.d.aws.example.com
- a HostedZone, an ARecord, a LambdaRestApi and a Function (lambda). However it does not work because the NS records newly assigned to gatekeeper.d.aws.example.com
do not match the ones in the parent d.aws.example.com
.
I think this means that although d.aws.example.com
is "known", the gateway
subdomain cannot delegate to it.
Here is my working code:
...ANSWER
Answered 2021-Mar-17 at 20:23I have consulted two AWS experts, and they do not favour cross-account operations. One said:
This is an anti-pattern, since it requires permissions to remain even after the stack is deployed. What happens if a cross-account operation has to roll back and that permission is revoked? It would result in the app being stuck in a middle/undefined state (the local part is rolled back, but the remote part cannot be rolled back due to an access violation).
The other advised:
Cross-account CDK is hard.
It is much better to split your stacks into two or more operations, so you can run them independently. This applies nicely to "one off" operations like DNS delegation - realistically you are not going to change the zone delegation for your Stack unless you destroy it, which you are not going to do until you actually don't need it. Thus, there is no reason for the zone information to change for the lifetime of the system.
This also works well where you have an app and a database, and you want the ability to take down your app without destroying the data.
So, this is an answer in the sense that some folks will say "don't do it". However, it looks like AWS has the ability to do it, so answers in that direction are still welcome.
QUESTION
I have a K8S cluster running in Azure AKS service.
I want to enforce MustRunAsNonRoot policy. How to do it?
The following policy is created:
...ANSWER
Answered 2021-Feb-09 at 16:33You shouldn't use PodSecurityPolicy
on Azure AKS cluster as it has been set for deprecation as of May 31st, 2021 in favor of Azure Policy for AKS. Check the official docs for further details:
Warning
The feature described in this document, pod security policy (preview), is set for deprecation and will no longer be available after May 31st, 2021 in favor of Azure Policy for AKS. The deprecation date has been extended from the previous date of October 15th, 2020.
So currently you should rather use Azure Policy for AKS, where among other built-in policies grouped into initiatives (an initiative in Azure Policy is a collection of policy definitions that are tailored towards achieving a singular overarching goal), you can find a policy which goal is to disallow running of privileged containers on your AKS cluster.
As to PodSecurityPolicy
, for the time being it should still work. Please check here if you didn't forget about anything e.g. make sure you set up the corresponding ClusterRole
and ClusterRoleBinding
to allow the policy to be used.
QUESTION
I'm trying to build a bar graph with echarts, where each bar has an hour and date associated with it. How can I group the dates so that they do not repeat? This should also update if the graph is zoomed in / panned accordingly. Thanks for the help!
What I have :
What I would like :
And what I currently have for my code :
...ANSWER
Answered 2021-Jan-15 at 01:55Try to use configuration below:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install gatekeeper
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page