OPA gatekeeper: Create a rule to warn the users
2 min read | by Jordi Prats
OPA gatekeeper is most commonly used to block retain objects from getting into the Kubernetes cluster, but we can use it to warn the user as well
To do so we just need to set spec.enforcementAction to warn as follows:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictTolerations
metadata:
name: restrict-tolerations
annotations:
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
"helm.sh/hook-weight": "1"
spec:
enforcementAction: warn
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
tolerations:
- key: node-role.kubernetes.io/demo
- key: node-role.kubernetes.io/another
- key: node-role.kubernetes.io/yetanother
On the ENFORCEMENT-ACTION column we'll see this setting:
$ kubectl get RestrictTolerations
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS
restrict-infra-master-tolerations warn 0
With this rule in place we'll get warnings when applying the object but it will get through anyway:
$ kubectl apply -f testPod.yaml
Warning: [restrict-infra-master-tolerations] found restricted toleration(s)
pod/pod-tolerations-test created
We can use this to warn the user about potentially problems with their manifests without affecting their ability of managing it's own manifests
Posted on 07/11/2022