Open Policy Agent Gatekeeper

The Open Policy Agent (OPA) Gatekeeper assists in enforcing, monitoring, and remediating policies while strengthening governance of an environment. It provides integration between OPA and Kubernetes.

OPA Gatekeeper controls the policies for Kubernetes and acts as a customizable Kubernetes Admission Webhook. Its audit functionality offers constant monitoring of existing clusters to detect policy violations.

OPA Gatekeeper functionality includes:

• An extensible, parameterized policy library.
• Native Kubernetes CRDs called ConstraintTemplates for extending the policy library
• A high level language, Rego, to create policies.
• Native Kubernetes CRDs called Constraints for instantiating the policy library.
• Audit functionality.
• Security
• Test framework for developing tests for policies.
• Upgrade Guide for upgrading versions.

Installation

To install and test the Gatekeeper application, follow these steps

Prerequisite

• A kubernetes cluster with cluster-admin access
• Helm

Procedure

• Clone the application repository git clone https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
• Change into the policy directory and lint the chart - make sure there are no errors. cd policy && helm lint chart
• Install the chart helm upgrade -i -n gatekeeper-system --create-namespace --wait opa-gatekeeper chart --debug

• Confirm the application installed with no issues.

  kubectl get po -n gatekeeper-system
  NAME                                            READY   STATUS    RESTARTS   AGE
  gatekeeper-audit-7997ddc847-8pt5h               1/1     Running   0          28s
  gatekeeper-controller-manager-7fdfd7bfd-8g5sm   1/1     Running   0          28s
  gatekeeper-controller-manager-7fdfd7bfd-khc7j   1/1     Running   0          28s
  gatekeeper-controller-manager-7fdfd7bfd-nzzd8   1/1     Running   0          28s
  

ConstraintTemplates and Constraints

The repo contains ConstraintTemplate and Constraints.

• ConstraintTemplates describe both the Rego that enforces the constraint and the schema of the constraint. It is the same context as the ConstraintTemplate being a CRD with the schema definition and the Constraints being the CRs passing parameters.

You can find ConstraintTemplates in /chart/templates/constraint-templates.

• Constraints represent the instantiation of the ConstraintTemplates. They inform Gatekeeper that the admin wants a ConstraintTemplate to be enforced, and how.

You can find Constraint in /chart/templates/constraints.

Further information on Constraints and ConstraintTemplates:

• Constraint Framework
• Constraint Template List
• Constraint Annotations
• Policy Library
• Rego
• Violation Exceptions

Additional OPA Gatekeeper Links

• Webinar: K8s with OPA Gatekeeper
• Difference between OPA and Gatekeeper
• K8s with OPA Gatekeeper
• Fitness Validation For Your Kubernetes Apps: Policy As Code
• Introduction to Open Policy Agent | Rawkode Live
• Open Policy Agent Debugging
• OPA Gatekeeper Debugging

For additional info on the architecture and how OPA fits into Big Bang see the Architecture Doc.

---

Last update: 2022-01-04 by Micah Nagel