OPA gatekeeper: Create a rule to warn the users
2 min read | by Jordi Prats
OPA gatekeeper is most commonly used to block retain objects from getting into the Kubernetes cluster, but we can use it to warn the user as well
To do so we just need to set spec.enforcementAction to warn as follows:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictTolerations metadata: name: restrict-tolerations annotations: "helm.sh/hook": "post-install,post-upgrade" "helm.sh/hook-delete-policy": "before-hook-creation" "helm.sh/hook-weight": "1" spec: enforcementAction: warn match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: tolerations: - key: node-role.kubernetes.io/demo - key: node-role.kubernetes.io/another - key: node-role.kubernetes.io/yetanother On the ENFORCEMENT-ACTION column we'll see this setting:
$ kubectl get RestrictTolerations NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS restrict-infra-master-tolerations warn 0 With this rule in place we'll get warnings when applying the object but it will get through anyway:
$ kubectl apply -f testPod.yaml Warning: [restrict-infra-master-tolerations] found restricted toleration(s) pod/pod-tolerations-test created We can use this to warn the user about potentially problems with their manifests without affecting their ability of managing it's own manifests
Posted on 07/11/2022