I am curious to know if there is a way to do a Kustomize replacement or other operation to inject the contents of a non-yaml file into a yaml file using Kustomize. I know Kustomize is not a template engine and that this could be accomplished with Helm, but using the tool I am already using, is this possible?
My use case is to store OPA policies as native rego, which allows use of OPA unit tests, and to inject the content of these rego files into Gatekeeper constraints during Kustomize deployment. This will remove the requirement for custom pipeline processing or manual copy/paste to accomplish this.
Example opaRule.rego file
package k8sdisallowedtags
violation[{"msg": msg}] {
container := input_containers[_]
tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
any(tags)
msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
}
...
Example constraintTemplate.yaml file
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sdisallowedtags
namespace: kube-system
annotations:
description: Requires container images to have an image tag different
from the ones in a specified list.
spec:
crd:
spec:
names:
kind: K8sDisallowedTags
validation:
openAPIV3Schema:
properties:
tags:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |-
{CONTENT OF OPA RULE POLICY HERE}
Kustomize allows to create plugins to extend its functionality. And there are almost zero limitations including security - this should be handled by author of the plugin.
There are two kinds of plugins:
All available information can be found in Extending Kustomize - documentation.
Example of exec plugin. Note! correct flag is --enable-alpha-plugins
(with -
, not with _
as in example).
Patches (also call overlays) add or override fields on resources. They are provided using the patches Kustomization field.
The patches field contains a list of patches to be applied in the order they are specified.
Each patch may:
- be either a strategic merge patch, or a JSON6902 patch
- be either a file, or an inline string target
- a single resource or multiple resources
Reference to kustomize - patches
Below is example how to patch gatekeeper.yaml
object.
Structure:
$ tree
.
├── gatekeeper.yaml
├── kustomization.yaml
└── opa-gk.yaml
$ cat gatekeeper.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sdisallowedtags
namespace: kube-system
annotations:
description: Requires container images to have an image tag different
from the ones in a specified list.
spec:
crd:
spec:
names:
kind: K8sDisallowedTags
validation:
openAPIV3Schema:
properties:
tags:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |-
{CONTENT OF OPA RULE POLICY HERE}
$ cat kustomization.yaml
resources:
- gatekeeper.yaml
patches:
- path: opa-gk.yaml
target:
group: templates.gatekeeper.sh
version: v1beta1
kind: ConstraintTemplate
name: k8sdisallowedtags
$ cat opa-gk.yaml
- op: add
path: /spec/targets/0/rego
value: |
package k8sdisallowedtags
violation[{"msg": msg}] {
container := input_containers[_]
tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
any(tags)
msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
}
...
End result:
$ kubectl kustomize .
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
annotations:
description: Requires container images to have an image tag different from the
ones in a specified list.
name: k8sdisallowedtags
namespace: kube-system
spec:
crd:
spec:
names:
kind: K8sDisallowedTags
validation:
openAPIV3Schema:
properties:
tags:
items:
type: string
type: array
targets:
- rego: |
package k8sdisallowedtags
violation[{"msg": msg}] {
container := input_containers[_]
tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
any(tags)
msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
}
...
target: admission.k8s.gatekeeper.sh