creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-opa-gatekeeper-for-policy-enforcement/references/workflows.md
T

2.7 KiB
Raw Blame History

Workflow - OPA Gatekeeper Policy Enforcement

Phase 1: Install Gatekeeper

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
helm install gatekeeper gatekeeper/gatekeeper \
  --namespace gatekeeper-system --create-namespace \
  --set replicas=3 --set audit.replicas=1

kubectl -n gatekeeper-system rollout status deployment/gatekeeper-controller-manager

Phase 2: Deploy ConstraintTemplates

# Clone Gatekeeper policy library
git clone https://github.com/open-policy-agent/gatekeeper-library.git

# Apply common templates
kubectl apply -f gatekeeper-library/library/pod-security-policy/privileged-containers/template.yaml
kubectl apply -f gatekeeper-library/library/pod-security-policy/host-namespaces/template.yaml
kubectl apply -f gatekeeper-library/library/pod-security-policy/allow-privilege-escalation/template.yaml
kubectl apply -f gatekeeper-library/library/general/allowedrepos/template.yaml
kubectl apply -f gatekeeper-library/library/general/requiredlabels/template.yaml
kubectl apply -f gatekeeper-library/library/general/containerlimits/template.yaml

Phase 3: Deploy Constraints in Dryrun Mode

kubectl apply -f - <<EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: block-privileged-dryrun
spec:
  enforcementAction: dryrun
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    excludedNamespaces:
      - kube-system
      - gatekeeper-system
EOF

Phase 4: Review Audit Violations

# Check violations for each constraint
kubectl get constraints -o json | jq '.items[] | {
  name: .metadata.name,
  enforcement: .spec.enforcementAction,
  violations: (.status.violations // [] | length),
  total_violations: .status.totalViolations
}'

# Get detailed violations
kubectl get k8spsprivilegedcontainer block-privileged-dryrun -o json | jq '.status.violations[]'

Phase 5: Switch to Enforcement

# After reviewing violations and remediating, switch to deny
kubectl patch k8spsprivilegedcontainer block-privileged-dryrun \
  --type=merge -p '{"spec":{"enforcementAction":"deny"}}'

Phase 6: Test Enforcement

# This should be denied
kubectl run test-priv --image=nginx --overrides='{"spec":{"containers":[{"name":"test","image":"nginx","securityContext":{"privileged":true}}]}}'
# Expected: Error from server (Forbidden): admission webhook denied the request

kubectl delete pod test-priv --ignore-not-found

Phase 7: Monitor and Maintain

# Regular audit check
kubectl get constraints -o wide

# Check Gatekeeper health
kubectl get pods -n gatekeeper-system
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=20
Reference in New Issue View Git Blame Copy Permalink