← 返回技能列表在 GitHub 上查看
enforce-policy-as-code
pjt222
更新于 6 days ago
14 次查看
17
2
17
元ai
关于
This skill implements policy-as-code enforcement for Kubernetes using OPA Gatekeeper or Kyverno to validate and mutate resources against organizational policies. It covers constraint templates, admission control, audit functionality, and CI/CD integration for shift-left validation. Use it to enforce configuration standards, prevent security misconfigurations, ensure compliance, and audit existing cluster resources.
快速安装
Claude Code
推荐主要方式
npx skills add pjt222/agent-almanac -a claude-code插件命令备选方式
/plugin add https://github.com/pjt222/agent-almanacGit 克隆备选方式
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/enforce-policy-as-code在 Claude Code 中复制并粘贴此命令以安装该技能
技能文档
以碼行策
用 OPA Gatekeeper 或 Kyverno 行宣告式策,驗與變 Kubernetes 資源。
用
- 行資源組態之組規(標、注、限)
- 防安全誤設(特權容器、主名、不安映像)
- 資源布前確合規
- 規範命名與元
- 經變策自癒
- 審舊資源合策否而不阻
- 入 CI/CD 為左移策驗
入
- 必:管權之 Kubernetes 群
- 必:擇策引(OPA Gatekeeper 或 Kyverno)
- 必:所行策列(安、規、營)
- 可:待審之舊資源
- 可:特名或資源之豁免模
- 可:CI/CD 管線設(布前驗)
行
見 Extended Examples 備全設與模。
一:裝策引
布 OPA Gatekeeper 或 Kyverno 為入控器。
OPA Gatekeeper:
# Install Gatekeeper using Helm
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
# Install with audit enabled
helm install gatekeeper gatekeeper/gatekeeper \
--namespace gatekeeper-system \
--create-namespace \
--set audit.replicas=2 \
--set replicas=3 \
--set validatingWebhookFailurePolicy=Fail \
--set auditInterval=60
# Verify installation
kubectl get pods -n gatekeeper-system
kubectl get crd | grep gatekeeper
# Check webhook configuration
kubectl get validatingwebhookconfigurations gatekeeper-validating-webhook-configuration -o yaml
Kyverno:
# Install Kyverno using Helm
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
# Install with HA setup
helm install kyverno kyverno/kyverno \
--namespace kyverno \
--create-namespace \
--set replicaCount=3 \
--set admissionController.replicas=3 \
--set backgroundController.replicas=2 \
--set cleanupController.replicas=2
# Verify installation
kubectl get pods -n kyverno
kubectl get crd | grep kyverno
# Check webhook configurations
kubectl get validatingwebhookconfigurations kyverno-resource-validating-webhook-cfg
kubectl get mutatingwebhookconfigurations kyverno-resource-mutating-webhook-cfg
設名空排除:
# gatekeeper-config.yaml
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
name: config
namespace: gatekeeper-system
spec:
match:
- excludedNamespaces:
- kube-system
- kube-public
- kube-node-lease
- gatekeeper-system
processes:
- audit
- webhook
validation:
traces:
- user: system:serviceaccount:gatekeeper-system:gatekeeper-admin
kind:
group: ""
version: v1
kind: Namespace
得:策引艙多副運。CRD 已裝(Gatekeeper 之 ConstraintTemplate、Constraint;Kyverno 之 ClusterPolicy、Policy)。驗/變鈎活。審控運。
敗:
- 察艙日:
kubectl logs -n gatekeeper-system -l app=gatekeeper --tail=50 - 驗鈎端可達:
kubectl get endpoints -n gatekeeper-system - 察港衝或證於鈎日
- 確群有足資源(策引每副需約 500MB)
- 閱 RBAC:
kubectl auth can-i create constrainttemplates --as=system:serviceaccount:gatekeeper-system:gatekeeper-admin
二:定約模與策
造可複策模與特定約。
OPA Gatekeeper 約模:
# required-labels-template.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
annotations:
# ... (see EXAMPLES.md for complete configuration)
Kyverno ClusterPolicy:
# kyverno-policies.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
annotations:
# ... (see EXAMPLES.md for complete configuration)
施策:
# Apply Gatekeeper templates and constraints
kubectl apply -f required-labels-template.yaml
# Apply Kyverno policies
kubectl apply -f kyverno-policies.yaml
# Verify constraint/policy status
kubectl get constraints
kubectl get clusterpolicies
# Check for any policy errors
kubectl describe k8srequiredlabels require-app-labels
kubectl describe clusterpolicy require-labels
得:ConstraintTemplates/ClusterPolicies 建成。約態顯「True」執行。策無誤。鈎始評新資源。
敗:
- 驗 Rego 語法(Gatekeeper):用
opa test於本機或察約態 - 察策 YAML 語法:
kubectl apply --dry-run=client -f policy.yaml - 閱約態:
kubectl get constraint -o yaml | grep -A 10 status - 先試簡策,後加複
- 驗匹準(kinds、namespaces)正
三:試策行
驗策阻非合而許合者。
造試單:
# test-non-compliant.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-no-labels
namespace: production
# ... (see EXAMPLES.md for complete configuration)
試策:
# Attempt to create non-compliant resource (should fail)
kubectl apply -f test-non-compliant.yaml
# Expected: Error with policy violation message
# Create compliant resource (should succeed)
kubectl apply -f test-compliant.yaml
# Expected: deployment.apps/test-compliant created
# Test with dry-run for validation
kubectl apply -f test-non-compliant.yaml --dry-run=server
# Shows policy violations without actually creating resource
# Clean up
kubectl delete -f test-compliant.yaml
試策報(Kyverno):
# Check policy reports
kubectl get policyreports -A
kubectl get clusterpolicyreports
# View detailed report
kubectl get policyreport -n production -o yaml
# Check policy rule results
kubectl get policyreport -n production -o jsonpath='{.items[0].results}' | jq .
得:非合者拒而示明違信。合者建成。策報示過/敗。乾跑驗不建資源。
敗:
- 察策在審態非行:
validationFailureAction: audit - 驗鈎處請求:
kubectl logs -n gatekeeper-system -l app=gatekeeper - 察名空排除或豁免試名
- 試鈎連:
kubectl run test --rm -it --image=busybox --restart=Never - 閱鈎敗策(Ignore 對 Fail)
四:行變策
經變自動修復。
Gatekeeper 變:
# gatekeeper-mutations.yaml
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: Assign
metadata:
name: add-default-labels
spec:
# ... (see EXAMPLES.md for complete configuration)
Kyverno 變策:
# kyverno-mutations.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-labels
spec:
# ... (see EXAMPLES.md for complete configuration)
施而試變:
# Apply mutation policies
kubectl apply -f gatekeeper-mutations.yaml
# OR
kubectl apply -f kyverno-mutations.yaml
# Test mutation with a deployment
# ... (see EXAMPLES.md for complete configuration)
得:變自動加標、源或改映像。布後資源顯變值。策引日記變。變無誤。
敗:
- 察變鈎已啟:
kubectl get mutatingwebhookconfiguration - 驗變策語法:尤 JSON 徑與條件
- 閱日:
kubectl logs -n kyverno deploy/kyverno-admission-controller - 試變勿衝(同欄多變)
- 確變於驗前行(序要)
五:啟審態與報
設審識舊資源之違而不阻。
Gatekeeper 審:
# Audit runs automatically based on auditInterval setting
# Check audit results
kubectl get constraints -o json | \
jq '.items[] | {name: .metadata.name, violations: .status.totalViolations}'
# Get detailed violation information
# ... (see EXAMPLES.md for complete configuration)
Kyverno 審與報:
# Generate policy reports for existing resources
kubectl create job --from=cronjob/kyverno-cleanup-controller -n kyverno manual-report-gen
# View policy reports
kubectl get policyreport -A
kubectl get clusterpolicyreport
# ... (see EXAMPLES.md for complete configuration)
造策合規儀表:
# prometheus-rules.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: policy-alerts
namespace: monitoring
# ... (see EXAMPLES.md for complete configuration)
得:審識舊資源違而不阻布。策報生過/敗計。違可出以閱。監計已露。違增時警。
敗:
- 驗審控運:
kubectl get pods -n gatekeeper-system -l gatekeeper.sh/operation=audit - 察審週設於裝時
- 閱審日:
kubectl logs -n gatekeeper-system -l gatekeeper.sh/operation=audit - 確 RBAC 許讀諸類以審
- 驗 CRD 態欄已填:
kubectl get constraint -o yaml | grep -A 20 status
六:入 CI/CD 管
布前加策驗以左移行策。
CI/CD 入本:
#!/bin/bash
# validate-policies.sh
set -e
echo "=== Policy Validation for CI/CD ==="
# ... (see EXAMPLES.md for complete configuration)
GitHub Actions 工作流:
# .github/workflows/policy-validation.yaml
name: Policy Validation
on:
pull_request:
paths:
# ... (see EXAMPLES.md for complete configuration)
Pre-commit 鈎:
#!/bin/bash
# .git/hooks/pre-commit
# Validate Kubernetes manifests against policies
if git diff --cached --name-only | grep -E 'manifests/.*\.yaml$'; then
echo "Validating Kubernetes manifests against policies..."
# ... (see EXAMPLES.md for complete configuration)
得:CI/CD 管於布前驗單。策違敗管線並示明信。策報附於 PR。Pre-commit 鈎早捕違。發者於入群前聞策議。
敗:
- 驗 CLI 已裝並在 PATH
- 察 kubeconfig 憑於取策有效
- 先於本機試策驗:
kyverno apply policy.yaml --resource manifest.yaml - 確自群同步之策完整
- 閱策 CLI 日以特定驗誤
驗
- 策引艙以 HA 設運
- 驗與變鈎活且可達
- 約模與策建而無誤
- 非合者拒並示明違信
- 合者布成
- 變策自動修資源
- 審態識舊資源之違
- 策報生且可取
- 監計露以察策合規
- CI/CD 管於布前驗單
- Pre-commit 鈎阻策違
- 名空排除適設
忌
- 鈎敗策:
failurePolicy: Fail於鈎無時阻諸資源。非要策用Ignore,然知安全之虞。行前試鈎可用否 - 初策過嚴:以行態始於嚴策→破舊工作。先審態,閱違,告隊,後漸行
- 缺資源規:策須正定 API 組、版、類。用
kubectl api-resources尋確值。通配符(*)便但損性能 - 變序:變於驗前施。確變勿衝且驗慮變值。並試變與驗
- 名空排除:排系名必要,然勿過排。策熟後常閱排除
- Rego 複(Gatekeeper):複 Rego 策難調。自簡始,於本機以
opa test試,以trace()記,用 gator 離線試 - 性能影響:策評加入時延。策宜高效,匹準宜確,監鈎時延計
- 策衝:多策改同欄致議。跨隊協策,用策庫共模,試組合
- 背景掃:背景審掃全群。大群資源密。依群大與策數調審週
- 版容:策 CRD 版變。Gatekeeper v3 用
v1beta1約,Kyverno v1.11 用kyverno.io/v1。察文以定版
參
manage-kubernetes-secrets- 密驗策security-audit-codebase- 互補之安掃deploy-to-kubernetes- 含策驗之應用布setup-service-mesh- 服務網授權策補入策configure-api-gateway- 關策與入策並行implement-gitops-workflow- 含策驗於管之 GitOps
GitHub 仓库
pjt222/agent-almanac
路径: i18n/wenyan-ultra/skills/enforce-policy-as-code
0agentsagentskillsai-assisted-developmentclaude-codeskillsteams
相关推荐技能
content-collections
元Content Collections 是一个 TypeScript 优先的构建工具,可将本地 Markdown/MDX 文件转换为类型安全的数据集合。它专为构建博客、文档站和内容密集型 Vite+React 应用而设计,提供基于 Zod 的自动模式验证。该工具涵盖从 Vite 插件配置、MDX 编译到生产环境部署的完整工作流。
查看技能
polymarket
元这个Claude Skill为开发者提供完整的Polymarket预测市场开发支持,涵盖API调用、交易执行和市场数据分析。关键特性包括实时WebSocket数据流,可监控实时交易、订单和市场动态。开发者可用它构建预测市场应用、实施交易策略并集成实时市场预测功能。
查看技能
creating-opencode-plugins
元该Skill帮助开发者创建OpenCode插件,用于接入命令、文件、LSP等25+种事件。它提供了插件结构、事件API规范和JavaScript/TypeScript实现模式,适合需要拦截操作、扩展功能或自定义事件处理的场景。开发者可通过它快速构建响应式模块来增强OpenCode AI助手的能力。
查看技能
sglang
元SGLang是一个专为LLM设计的高性能推理框架,特别适用于需要结构化输出的场景。它通过RadixAttention前缀缓存技术,在处理JSON、正则表达式、工具调用等具有重复前缀的复杂工作流时,能实现极速生成。如果你正在构建智能体或多轮对话系统,并追求远超vLLM的推理性能,SGLang是理想选择。
查看技能