从2天开始，我尝试创建一个简单的OPA Gatekeeper Policy，该策略阻止为某些命名空间创建具有“privileged：true”的Pod。
更多详情：
我使用的opa-gatekeeper版本3.13安装以下these instructions。
为了启用策略，我首先创建了一个ConstraintTemplate：

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: disallowprivilegedpods
  annotations:
    description: "Disallow creation of privileged pods in alpha and beta namespaces"
spec:
  crd:
    spec:
      names:
        kind: DisallowPrivilegedPods
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package disallow_privileged_pods

        violation[{"msg": msg}] {
          input.request.kind.kind == "Pod"
          input.request.operation == "CREATE"
          input.request.namespace == ["alpha", "beta"]
          input.request.object.spec.securityContext.privileged == true
          msg := "Privileged pods are not allowed in the Alpha and Beta namespaces."
        }

接下来，我创建了约束：

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowPrivilegedPods
metadata:
  name: disallow-privileged-pods-alpha-beta
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - alpha
      - beta

为了测试策略是否正常工作，我尝试在以下名称空间之一中部署此pod：

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
  namespace: alpha
spec:
  containers:
    - name: my-container
      image: nginx
      securityContext:
        privileged: true
  restartPolicy: Never

不幸的是，该策略似乎不起作用，可以创建pod。
谁能给予我一些提示，这个政策有什么问题？
干杯
克里斯蒂安