CKS - Lab "Opa in Kubernetes" issues

gianni.costanzi · November 26, 2024, 7:13pm

Hi,
lab “Opa in Kubernetes” (link has some issues.

First questions seems not to be related to something explained in the lessons, and then there’s an issue in step 6: the pod created with /root/test.yaml file should have some issues with nginx container that uses image nginx instead of hooli.com /nginx but if you create the pod nginx container is loaded (which shouldn’t, as confirmed by provided solution) and hooli.com /mysql container fails to load due to TLS certificate validation issue since the certificate is not for hooli.com but it has CN=origin.wme-microsites.com:

  Normal   Scheduled  9s               default-scheduler  Successfully assigned opa/test to controlplane
  Normal   Pulling    8s               kubelet            Pulling image "nginx"
  Normal   Pulled     5s               kubelet            Successfully pulled image "nginx" in 3.246s (3.246s including waiting). Image size: 72955450 bytes.
  Normal   Created    5s               kubelet            Created container nginx-frontend
  Normal   Started    5s               kubelet            Started container nginx-frontend
  Normal   Pulling    5s               kubelet            Pulling image "hooli.com/mysql"
  Warning  Failed     5s               kubelet            Failed to pull image "hooli.com/mysql": failed to pull and unpack image "hooli.com/mysql:latest": failed to resolve reference "hooli.com/mysql:latest": failed to do request: Head "https://hooli.com/v2/mysql/manifests/latest": tls: failed to verify certificate: x509: certificate is valid for origin.wme-microsites.com, *.origin.wme-microsites.com, not hooli.com
  Warning  Failed     5s               kubelet            Error: ErrImagePull
  Normal   BackOff    4s (x2 over 5s)  kubelet            Back-off pulling image "hooli.com/mysql"
  Warning  Failed     4s (x2 over 5s)  kubelet            Error: ImagePullBackOff

So, to recap, OPA policy seems not to be in place since it does not require you to use hooli.com as repository and then hooly.com does not have a valid certificate.

BTW, do we miss some contents since the first questions of this lab seem to ask about stuff not explained in the Opa in Kubernetes lesson?

Alistair_KodeKloud · November 26, 2024, 8:49pm

Regarding step 6

The question states

Create a pod defined under /root/test.yaml in the namespace dev. Fix the OPA validation issue while creating the pod.
NOTE: The pod is expected to be in a created state but not up and running.

If you try to create the pod from test.yaml as directed, then you should see this error

Error from server: error when creating “/root/test.yaml”: admission webhook “validating-webhook.openpolicyagent.org” denied the request: image ‘nginx’ comes from untrusted registry

…which is expected, and kubectl get pods -n dev will show that there is no pod named test

Now if you look at the OPA policy that is applied there…

k get cm -n opa untrusted-registry -o yaml

The policy is

  untrusted-registry.rego: |2

    package kubernetes.admission

    deny[msg] {
      input.request.kind.kind == "Pod"
      image := input.request.object.spec.containers[_].image
      not startswith(image, "hooli.com/")
      msg := sprintf("image '%v' comes from untrusted registry", [image])
    }

This works on pod admission and checks the image of all containers in the pod.

not startswith(image, "hooli.com/")

is the condition for the deny action, meaning that if any container image in the pod does not begin with hooli.com/ then the pod will be denied.

So we edit the container with image: nginx to inage: hooli.com/nginx and the pod will be created.

NOTE: The pod is expected to be in a created state but not up and running.

Yes, it is stuck in ImagePullBackOff because the registry hooli.com does not exist, therefore this state is expected. We are merely testing the rego policy for pod admission, not whether the pod can actually start. Admission checks occur when the pod manifest is presented by kubectl and before the scheduling phase. If an admission fails, the pod definition is not added to etcd - i.e. it won’t exist.

I am not sure where you are getting hooly.com from. It is not mentioned anywhere in the question.

As for your other question, which parts are not covered? Have you watched the remaining OPA lectures and still don’t find the information you’re looking for?

gianni.costanzi · November 26, 2024, 9:28pm

Hi,
thank you, I’ve just created the pod with test.yaml without forcing it to be in dev namespace.
hooly was a tipo for hooli.
So all my wrong reasoning was related to the fact that I’ve launched the pod in the default namespace, which had no enforcements about the repository etc.

About questions, I will need to rewatch the two lessons about OPA because the first questions of that lab are not clear for me and maybe I’ve missed some contents (t’sn always hard to study after too much hours of work ).

One quick question: where is it said that the OPA policy is applied for namespace dev but not for namespace default where pod creation does not fail even with nginx image non on hooli repo?

Again, thank you for the support and for the quick detailed answer!