Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GATEKEEPER.md for a guide on enforcing use of Kata Containers #432

Draft
wants to merge 1 commit into
base: devel
Choose a base branch
from
Draft

Add GATEKEEPER.md for a guide on enforcing use of Kata Containers #432

wants to merge 1 commit into from

Conversation

jensfr
Copy link
Contributor

@jensfr jensfr commented Jul 18, 2024
edited
Loading

- What I did
This commit adds GATEKEEPER.md to the docs directory and example yaml
manifests to config/sample/gatekeeper. The document
provides a step-by-step guide on using OpenShift Gatekeeper to enforce
policies that require privileged pods to use Kata Containers.

- Description of the problem which is fixed/What is the use case
Reasons to include this in the repository:

Kata Containers enhance isolation for sensitive workloads. This guide
helps users implement and enforce their use through Gatekeeper policies.
By including this, we aim to:

  1. Educate users with clear instructions on enforcing security policies.
  2. Promote best practices for securing Kubernetes environments.
  3. Improve usability by offering a structured, practical example.

Structure

  1. Constraint Template: Steps to create and apply.
  2. Constraint: Instructions to create and apply.
  3. Pod Manifest: Example for testing.
  4. Compliance*: How to verify.

This document enhances the repository by providing practical guidance on
using Kata Containers with Gatekeeper.

- How to verify it
Read it and try it out.

Signed-off-by: Jens Freimann [email protected]

@jensfr
Add GATEKEEPER.md for a guide on enforcing use of Kata Containers
9d7a0d2 
This commit adds GATEKEEPER.md to the docs directory and example yaml
manifests to config/sample/gatekeeper. The document
provides a step-by-step guide on using OpenShift Gatekeeper to enforce
policies that require privileged pods to use Kata Containers.

Reasons to include this in the repository:

Kata Containers enhance isolation for sensitive workloads. This guide
helps users implement and enforce their use through Gatekeeper policies.
By including this, we aim to:

1. Educate users with clear instructions on enforcing security policies.
2. Promote best practices for securing Kubernetes environments.
3. Improve usability by offering a structured, practical example.

Structure

1. Constraint Template: Steps to create and apply.
2. Constraint: Instructions to create and apply.
3. Pod Manifest: Example for testing.
4. Compliance*: How to verify.

This document enhances the repository by providing practical guidance on
using Kata Containers with Gatekeeper.

Signed-off-by: Jens Freimann <[email protected]>
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 18, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 18, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

bpradipt
bpradipt reviewed Oct 5, 2024
View reviewed changes
config/samples/gatekeeper/constraint.yaml
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this also apply to higher level objects like Deployments etc, or creating the policy for Pod automatically applies it to higher level constructs that uses Pod (eg. Deployments, Replicasets etc) ?

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 4, 2025
@openshift-bot
Copy link

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bpradipt bpradipt bpradipt left review comments

Assignees
No one assigned
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jensfr @openshift-bot @bpradipt