Opa deny unallowed docker registries

40240331 · Mark Sanchez · Micah Nagel · 0d697b9b · 40240331 · 40240331
Commit 40240331 authored 3 years ago by Mark Sanchez Committed by Micah Nagel 3 years ago
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -45,4 +45,16 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
      excludedNamespaces:
        - logging # FluentBit needs selinux option type spc_t
  {{- end }}
+  allowedDockerRegistries:
+    match:
+      excludedNamespaces: 
+       {{- if .Values.istio.enabled }}
+        - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
+       {{- end }}
+        - kube-system # ignored as the kubernetes distro cannot be controlled
+    {{- if .Values.addons.mattermost.enabled }}
+    parameters:
+      exemptContainers:
+        - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
+    {{- end }}
 {{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -281,7 +281,7 @@ gatekeeper:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
-    tag: "3.5.1-bb.1"
+    tag: "3.5.1-bb.2"

  # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
  flux:

--- a/docs/production.md
+++ b/docs/production.md
+# Big Bang Production
+
+Table of Contents
+
+- [Big Bang Production](#big-bang-production)
+  - [Production Deployment](#production-deployment)
+
+## Production Deployment
+
+Note: When deploying to production, istio-system should be removed from `excludedNamespaces` under the `allowedDockerRegistries` violations (see `chart/templates/gatekeeper/values.yaml` for reference). This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. Production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. 
+
+The gatekeeper `values` section should resemble below when deploying to production.
+```
+# OPA Gatekeeper
+#
+gatekeeper:
+  # -- Toggle deployment of OPA Gatekeeper.
+  enabled: true
+  git:
+    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
+    path: "./chart"
+    tag: "3.5.1-bb.2"
+
+  # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
+  flux: {}
+
+  # -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
+  values:
+      violations:
+        allowedDockerRegistries:
+          match:
+            excludedNamespaces: 
+              - kube-system # ignored as the kubernetes distro cannot be controlled
+
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+```
+
+To validate it was deployed correctly on your cluster run the following command:
+
+`kubectl get k8sallowedrepos.constraints.gatekeeper.sh/allowed-docker-registries -o yaml`
+
+You should only see `kube-system` under `excludedNamespaces` section.
+
+Output:
+```
+  name: allowed-docker-registries
+  resourceVersion: "10390"
+  uid: b51b3887-3cf8-4495-b37e-fb8ef31755db
+spec:
+  enforcementAction: deny
+  match:
+    excludedNamespaces:
+    - kube-system
+    kinds:
+    - apiGroups:
+      - ""
+      kinds:
+      - Pod
+  parameters:
+    exemptContainers: []
+    repos:
+    - registry1.dso.mil
+    - registry.dso.mil
+```
+
+