Evaluating Gatekeeper policies with the Rego Playground

Writing and evaluating Gatekeeper policies can be hard sometimes. Especially the testing part of a newly created policy.

There are different approaches to tackle this like having a dedicated test Kubernetes cluster for it. An alternative we used was a script starting a single node KinD cluster on Docker for Mac and installing Gatekeeper onto it.

The advantage of this approach you see how the policy works under real conditions. The disadvantage is properly the long feedback loop until the policy works as expected. Especially when you write complex policies.

Rego Playground

Here comes the Rego Playground into play. It is a web service that lets you easily evaluate your written policy.

-> https://play.openpolicyagent.org/

Rego Playground start page

As seen in the screenshot on the left-hand side you put your Gatekeeper policy. You do not paste the whole ConstraintTemplate into the field just the part in the template after rego: |.

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdisableautomountserviceaccounttoken
spec:
  crd:
    spec:
      names:
        kind: K8sDisableAutomountServiceAccountToken
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdisableautomountserviceaccounttoken
        missing(obj) = true {
          not obj.automountServiceAccountToken == true
          not obj.automountServiceAccountToken == false
          obj.serviceAccount == "default"
        }
        violation[{"msg": msg}] {
          p := input_pod[_]
          missing(p.spec)
          msg := sprintf("automountServiceAccountToken field is missing for pod %v while using Service Account %v", [p.metadata.name, p.spec.serviceAccount])
        }
        violation[{"msg": msg, "details": {}}] {
          p := input_pod[_]
          p.spec.automountServiceAccountToken
          p.spec.serviceAccount == "default"
          msg := sprintf("Service Account token automount is not allowed for pod %v while using Service Account %v, spec.automountServiceAccountToken: %v", [p.metadata.name, p.spec.serviceAccount, p.spec.automountServiceAccountToken])
        }
        input_pod[p] {
          p := input.review.object
        }

On the right-hand side in the upper part, you paste your input object as JSON. This can be for instance the output of an existing pod in your Kubernetes cluster.

kubectl get pods go-webapp-58554df444-mkph9 -o json

The reference to the input object for Gatekeeper on Kubernetes is input.object.review.

When pasting the JSON output for our pod into the Rego Playground as input we adjust the reference to the input object to just input.

After that is done a click on Evaluate validates the input against the policy.

You get the results on the right-hand side directly underneath of the input section.

First policy evaluation without adjustments Second policy evaluation with adjustments and value true

Looking at the screenshot the pod violates the policy. One small adjustment to the input object later it passes the policy.

Third policy evaluation with adjustments and value false

Summary

The Rego Playground makes the writing of Gatekeeper policies a breeze. You get a fast feedback loop without spinning up a local KinD cluster or having a test Kubernetes cluster in place.

Facebooktwitterlinkedinmail