OPA gatekeeper
OPA gatekeeper is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement.
Gatekeeper is a validating webhook that enforces CRD-based policies executed by Open Policy Agent. Policies are defined in a language called rego. Incoming requests that try to create or alter a resource that violates any of these policies will be rejected.
In addition to admission, Gatekeeper offers audit functionality, which allows administrators to see which resources are currently violating any given policy.
Deployment
The gatekeeper webhook and audit services exist in separate charms, you should deploy both of them.
First you need to make sure that you have a Charmed Kubernetes environment set up and running.
See the quickstart if you haven’t. The gatekeeper-audit
charm requires storage so
make sure your Juju model has a registered storage-pool.
Next, create a new Kubernetes model:
Then you can deploy the Gatekeeper charms:
Using RBAC
If using RBAC, you must deploy the charms using the --trust
flag as the charm needs permissions
in order to create the necessary resources:
Policies
Policies are defined as ConstraintTemplate
CRDs in a language called
rego. Constraints are then used to inform Gatekeeper that the admin wants a ConstraintTemplate
to be enforced, and how.
To get a list of the constraints run:
Or with the juju command:
And then to get the violations for a specific constraint run:
Configuration
Not much needs to be configured when running OPA gatekeeper. All configurations available are related to optimising the auditting:
Metrics
Both charms provide out of the box integration with the prometheus-k8s and the grafana-agent-k8s charms.
If you have those two charms deployed, you can integrate them with gatekeeper simply by running:
This will provide you with metrics such as how many requests were denied, how many were processed, how many violations exist in the cluster, etc.
Reconciliation
The gatekeeper charms manage the same Kubernetes resources(roles, crds, etc.). If for some reason you wish to delete one of the two charms while keeping the other you should be very careful, as it will cause all of the resources to be deleted.
In that scenario you will need to reconcile (recreate) the resources by running:
Warning: This will cause all the policies to be deleted as well, which means you will have to reapply them.
Test the Gatekeeper charm
To test the gatekeeper charms you can try applying the test policy available on the charms’ repository:
This policy will require all namespaces to have the label gatekeeper=True
, creating a new ns
without that should fail:
...should return...
After a while you should also be able to see violations of the policy from the existing resources. For example:
... will return something similar to:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS
ns-must-have-gk 6
Useful links
- Gatekeeper Documentation
- OPA Documentation
- Rego Documentation
- Gatekeeper Audit Charm
- Gatekeeper Webhook Charm
See the guide to contributing or discuss these docs in our public Mattermost channel.