Skip to content

OPA-Gatekeeper📜

Overview📜

Gatekeeper is an auditing tool that allows administrators to see what resources are currently violating any given policy.

Big Bang Touch Points📜

graph LR
  subgraph "OPA Gatekeeper"
    collector("Collector") --> auditor{{Auditor}}
  end      

  subgraph "Metrics"
    auditor{{Auditor}} --> metrics("Metrics")
  end

  subgraph "Kubernetes API"
    api("Kubernetes API") --> collector("Collector")
    auditor{{Auditor}} --> api("Kubernetes API")
  end

  subgraph "kubectl"
    ctl("kubectl") --> api("Kubernetes API")
  end

Storage📜

Data from gatekeeper is not stored is provided via metrics.

Database📜

Gatekeeper doesn’t have a database.

Istio Configuration📜

When deploying to k3d, istio-system should be added from excludedNamespaces under the allowedDockerRegistries violations. This can be done by modifying chart/values.yaml file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the istio-system namespace to be pulled from outside of Registry1. 

gatekeeper:
  values:
    violations:
      allowedDockerRegistries:
        match:
          excludedNamespaces: 
            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers

High Availability📜

High availability is accomplished by ensuring the replicas in the values file of this helm chart are > 1. By default, this chart is configured for high availability with replicas: 3.

gatekeeper:
  values:
    replicas: 3

Single Sign on (SSO)📜

None. This service doesn’t have a web interface.

Licensing📜

Apache License

Dependencies📜

None.

Last update: 2022-09-15 by brandt keller