k8s-policy
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseKubernetes Policy Management
Kubernetes策略管理
Manage policies using kubectl-mcp-server's Kyverno and Gatekeeper tools.
使用kubectl-mcp-server的Kyverno和Gatekeeper工具管理策略。
When to Apply
适用场景
Use this skill when:
- User mentions: "Kyverno", "Gatekeeper", "OPA", "policy", "compliance"
- Operations: enforcing policies, checking violations, policy audit
- Keywords: "require labels", "block privileged", "validate", "enforce"
在以下场景中使用本技能:
- 用户提及:"Kyverno"、"Gatekeeper"、"OPA"、"policy(策略)"、"compliance(合规)"
- 操作场景:实施策略、检查违规情况、策略审计
- 关键词:"require labels(要求标签)"、"block privileged(阻止特权模式)"、"validate(验证)"、"enforce(实施)"
Priority Rules
优先级规则
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Detect policy engine first | CRITICAL | |
| 2 | Use Audit mode before Enforce | HIGH | validationFailureAction |
| 3 | Check policy reports for violations | HIGH | |
| 4 | Review constraint templates | MEDIUM | |
| 优先级 | 规则 | 影响级别 | 工具 |
|---|---|---|---|
| 1 | 先检测策略引擎 | 关键 | |
| 2 | 在实施前先使用审计模式 | 高 | validationFailureAction |
| 3 | 检查策略报告中的违规情况 | 高 | |
| 4 | 审查约束模板 | 中 | |
Quick Reference
快速参考
| Task | Tool | Example |
|---|---|---|
| List Kyverno cluster policies | | |
| Get Kyverno policy | | |
| List Gatekeeper constraints | | |
| Get constraint | | |
| 任务 | 工具 | 示例 |
|---|---|---|
| 列出Kyverno集群策略 | | |
| 获取Kyverno策略 | | |
| 列出Gatekeeper约束 | | |
| 获取约束详情 | | |
Kyverno
Kyverno
Detect Installation
检测安装情况
python
kyverno_detect_tool()python
kyverno_detect_tool()List Policies
列出策略
python
kyverno_clusterpolicies_list_tool()
kyverno_policies_list_tool(namespace="default")python
kyverno_clusterpolicies_list_tool()
kyverno_policies_list_tool(namespace="default")Get Policy Details
获取策略详情
python
kyverno_clusterpolicy_get_tool(name="require-labels")
kyverno_policy_get_tool(name="require-resources", namespace="default")python
kyverno_clusterpolicy_get_tool(name="require-labels")
kyverno_policy_get_tool(name="require-resources", namespace="default")Policy Reports
策略报告
python
kyverno_clusterpolicyreports_list_tool()
kyverno_policyreports_list_tool(namespace="default")python
kyverno_clusterpolicyreports_list_tool()
kyverno_policyreports_list_tool(namespace="default")Common Kyverno Policies
常见Kyverno策略
python
kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: require-app-label
match:
resources:
kinds:
- Pod
validate:
message: "Label 'app' is required"
pattern:
metadata:
labels:
app: "?*"
""")
kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-limits
spec:
validationFailureAction: Enforce
rules:
- name: require-cpu-memory
match:
resources:
kinds:
- Pod
validate:
message: "CPU and memory limits required"
pattern:
spec:
containers:
- resources:
limits:
cpu: "?*"
memory: "?*"
""")python
kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: require-app-label
match:
resources:
kinds:
- Pod
validate:
message: "Label 'app' is required"
pattern:
metadata:
labels:
app: "?*"
""")
kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-limits
spec:
validationFailureAction: Enforce
rules:
- name: require-cpu-memory
match:
resources:
kinds:
- Pod
validate:
message: "CPU and memory limits required"
pattern:
spec:
containers:
- resources:
limits:
cpu: "?*"
memory: "?*"
""")Gatekeeper (OPA)
Gatekeeper (OPA)
Detect Installation
检测安装情况
python
gatekeeper_detect_tool()python
gatekeeper_detect_tool()List Constraints
列出约束
python
gatekeeper_constraints_list_tool()
gatekeeper_constrainttemplates_list_tool()python
gatekeeper_constraints_list_tool()
gatekeeper_constrainttemplates_list_tool()Get Constraint Details
获取约束详情
python
gatekeeper_constraint_get_tool(
kind="K8sRequiredLabels",
name="require-app-label"
)
gatekeeper_constrainttemplate_get_tool(name="k8srequiredlabels")python
gatekeeper_constraint_get_tool(
kind="K8sRequiredLabels",
name="require-app-label"
)
gatekeeper_constrainttemplate_get_tool(name="k8srequiredlabels")Common Gatekeeper Policies
常见Gatekeeper策略
python
kubectl_apply(manifest="""
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing labels: %v", [missing])
}
""")
kubectl_apply(manifest="""
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels: ["app", "env"]
""")python
kubectl_apply(manifest="""
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing labels: %v", [missing])
}
""")
kubectl_apply(manifest="""
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels: ["app", "env"]
""")Policy Audit Workflow
策略审计工作流
python
kyverno_detect_tool()
kyverno_clusterpolicies_list_tool()
kyverno_clusterpolicyreports_list_tool()python
kyverno_detect_tool()
kyverno_clusterpolicies_list_tool()
kyverno_clusterpolicyreports_list_tool()Prerequisites
前置条件
- Kyverno: Required for Kyverno tools
bash
kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml - Gatekeeper: Required for Gatekeeper tools
bash
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
- Kyverno:使用Kyverno工具所需
bash
kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml - Gatekeeper:使用Gatekeeper工具所需
bash
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Related Skills
相关技能
- k8s-security - RBAC and security
- k8s-operations - Apply policies
- k8s-security - RBAC与安全
- k8s-operations - 策略实施