OPA Constraint Frameworkπ
OPA Gatekeeper uses the OPA Constraint Framework to establish and implement policy enforcement.
Custom Resource Definitionsπ
Custom Resources Definitions (CRDs) are utilized as an extension of Kubernetes API. They store collections of API objects. CRDs allow a new restful resource path and create custom objects. OPA Gatekeeperβs CRDs have the ability to dynamically configure OPA policies.
The two main types of policy authoring Gatekeeper uses are Constraint Templates and Constraints.
Constraint Templatesπ
Constraint Templates constraint templates. OPA Gatekeeperβs library of parameterized Constraint Templates determine enforcement rules and the constraint schema. The Constraint Template CRDs are written in OPAβs query language called Rego. Rego is a simple syntax that incorporates a small set of functions and operators for query evaluation. The Constraint Templates does not trigger the policy enforcement without the assistance of Constraints.
Constraintsπ
Native Kubernetes CRDs for instantiating the policy library is called constraints. Constraints CRDs are written in the Rego language and are created after the Constraint Templates are in place. This is accomplished using a post-install/post-upgrade Helm chart hook. As a result, you must use the --wait
option in Helm deployments to insure the hook is called at the appropriate time.
Constraints are instances of the Constraint Templates. They define the policies and requirements that need to be met.
For more information on OPA Gatekeeper Constraints and Constraint Template refer to the following link.