Need help: Constraint template for ensuring every namespace has at least one network policy

[sureshgoli25]

Hi All,

[Need Help]
I am a new bee...

Summary: I am trying to create constraint template to find a way to ensure every namespace in a cluster has at least one network policy defined.

Having little bit of challenges to debug the expressions i have written. Might be completely wrong also ...:)

    violation[{"msg": msg}] {
      input.review.kind.kind == "Pod"
      netpols := data.inventory.namespace[input.review.object.metadata.namespace]["networking.k8s.io"]["NetworkPolicy"][_].metadata.name
      count(netpols) > 0
      msg := "No Network Policy defined in the namespace"
    }

As per above rule. If the input kind is POD.
The next role brings the name of the network policies of that particular name using data sync of namespace.

The count checks if the value of the network policy is more than 0 or in other words namespace have the network policy defined. If network policy not existed then, put message back to user to say to define the network policy.

I am facing problem with regards to data inventory stuff. Somehow the condition is always matching and constraint is allowing to create pod in a namespace where network policy not defined also.

[louise-zhang]

Hi sureshgoli25, have you resolved this issue? I am looking for the solution for the same thing.

[sureshgoli25]

This is my working solution. Might be needed some changes for your case.

# Sync to import the data to Gatekeeper
---
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  name: config
  namespace: "" # CHANGE ME
spec:
# https://open-policy-agent.github.io/gatekeeper/website/docs/sync/
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Namespace"
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

 # https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/
  match:
    - excludedNamespaces: ["kube-*", "calico-system", "tigera-operator"]
      processes: ["*"]

# Template
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sensurenshasnetworkpolicy
  annotations:
    description: >-
      Disallows admissions if network policy not presented.

      https://kubernetes.io/docs/concepts/services-networking/network-policies/

      https://git.daimler.com/TAF-CAAS/quick-start-guides/tree/master/networkpolicies

spec:
  crd:
    spec:
      names:
        kind: k8sEnsureNShasNetworkPolicy

  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequireddefaultnetworkpolicy

        violation[{"msg": msg}] {
          ns      := input.review.object.metadata.namespace
          netpols := [name | data.inventory.namespace[ns]["networking.k8s.io/v1"]["NetworkPolicy"][name]]
          count(netpols) <= 0
          msg := sprintf("No Network Policy defined in the namespace %v",[ns])
        }

# Constraint
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: k8sEnsureNShasNetworkPolicy
metadata:
  name: ensurenetworkpolicy
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Service"]
#    - apiGroups: ["apps"]
#      kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet"]
#    - apiGroups: ["batch"]
#      kinds: ["Job", "CronJob"]
    - apiGroups: ["networking.k8s.io"]
      kinds: ["Ingress"]
    labelSelector:
      matchExpressions: []
    namespaceSelector:
      matchExpressions: []
    scope: '*'

[anderseknert]

I'm no Gatekeeper expert, but if you're looking to count something you'll want to ensure you get the full list of items. A looping construct like the one below will return each item one by one:

netpols := data.inventory.namespace[input.review.object.metadata.namespace]["networking.k8s.io"]["NetworkPolicy"][_].metadata.name

If you wrap it in a comprehension you should be able to collect all of them instead:

netpols := [netpol | netpol := data.inventory.namespace[input.review.object.metadata.namespace]["networking.k8s.io"]["NetworkPolicy"][_].metadata.name]

And the count should then work as expected.