Add GATEKEEPER.md for a guide on enforcing use of Kata Containers #432
+244
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds GATEKEEPER.md to the docs directory and example yaml manifests to config/sample/gatekeeper. The document provides a step-by-step guide on using OpenShift Gatekeeper to enforce policies that require privileged pods to use Kata Containers. Reasons to include this in the repository: Kata Containers enhance isolation for sensitive workloads. This guide helps users implement and enforce their use through Gatekeeper policies. By including this, we aim to: 1. Educate users with clear instructions on enforcing security policies. 2. Promote best practices for securing Kubernetes environments. 3. Improve usability by offering a structured, practical example. Structure 1. Constraint Template: Steps to create and apply. 2. Constraint: Instructions to create and apply. 3. Pod Manifest: Example for testing. 4. Compliance*: How to verify. This document enhances the repository by providing practical guidance on using Kata Containers with Gatekeeper. Signed-off-by: Jens Freimann <[email protected]>
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
bpradipt
reviewed
Oct 5, 2024
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Pod"] |
There was a problem hiding this comment.
Should this also apply to higher level objects like Deployments etc, or creating the policy for Pod automatically applies it to higher level constructs that uses Pod (eg. Deployments, Replicasets etc) ?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
This commit adds GATEKEEPER.md to the docs directory and example yaml
manifests to config/sample/gatekeeper. The document
provides a step-by-step guide on using OpenShift Gatekeeper to enforce
policies that require privileged pods to use Kata Containers.
- Description of the problem which is fixed/What is the use case
Reasons to include this in the repository:
Kata Containers enhance isolation for sensitive workloads. This guide
helps users implement and enforce their use through Gatekeeper policies.
By including this, we aim to:
Structure
This document enhances the repository by providing practical guidance on
using Kata Containers with Gatekeeper.
- How to verify it
Read it and try it out.
Signed-off-by: Jens Freimann [email protected]