OPA-Gatekeeper📜
Overview📜
Gatekeeper is an auditing tool that allows administrators to see what resources are currently violating any given policy.
Big Bang Touch Points📜
graph LR
subgraph "OPA Gatekeeper"
collector("Collector") --> auditor{{Auditor}}
end
subgraph "Metrics"
auditor{{Auditor}} --> metrics("Metrics")
end
subgraph "Kubernetes API"
api("Kubernetes API") --> collector("Collector")
auditor{{Auditor}} --> api("Kubernetes API")
end
subgraph "kubectl"
ctl("kubectl") --> api("Kubernetes API")
end
Storage📜
Data from gatekeeper is not stored is provided via metrics.
Database📜
Gatekeeper doesn’t have a database.
Istio Configuration📜
When deploying to k3d, istio-system should be added from excludedNamespaces
under the allowedDockerRegistries
violations. This can be done by modifying chart/values.yaml
file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the istio-system
namespace to be pulled from outside of Registry1.
gatekeeper:
values:
violations:
allowedDockerRegistries:
match:
excludedNamespaces:
- istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
High Availability📜
High availability is accomplished by ensuring the replicas in the values file of this helm chart are > 1. By default, this chart is configured for high availability with replicas: 3
.
gatekeeper:
values:
replicas: 3
Single Sign on (SSO)📜
None. This service doesn’t have a web interface.
Licensing📜
Dependencies📜
None.