Never Trust, Always Verify.
Please follow the Gatekeeper Installation Guide to install Gatekeeper (>= v3.9.0).
$ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.9.0/deploy/gatekeeper.yaml
...
OPA Gatekeeper is based on OPA Constraint Framework.
$ kubectl apply -k ./
...
$ kubectl apply -f explicit-protocol-selection/examples/require-explicit-protocol-selection/constraint.yaml
istioexplicitprotocolselection.constraints.gatekeeper.sh/explicitprotocolselection created
Verify no contraint violations:
$ kubectl get constraints
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS
istioexplicitprotocolselection.constraints.gatekeeper.sh/explicitprotocolselection deny 0
Install Gator for contraints evaluation. This model also can be used in CICD pipeline (thinking about shift-left) as well.
$ gator verify explicit-protocol-selection/suite.yaml
ok Users/I546303/Documents/Workspace/github/gatekeeper-istio/explicit-protocol-selection/suite.yaml 0.027s
PASS
- Test allowed Service appProtocol
$ kubectl apply -f explicit-protocol-selection/examples/require-explicit-protocol-selection/allow-app-protocol.yaml --dry-run=server
service/my-service created (server dry run)
- Test disallowed Service port name
$ kubectl apply -f explicit-protocol-selection/examples/require-explicit-protocol-selection/disallow-port-name.yaml --dry-run=server
Error from server (Forbidden): error when creating "explicit-protocol-selection/examples/require-explicit-protocol-selection/disallow-port-name.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [explicitprotocolselection] port: {"name": "http3", "port": 443, "protocol": "TCP", "targetPort": 443} name or appProtocol is invalid