# OPA Gatekeeper ## **Introduction to OPA Gatekeeper Overview** OPA Gatekeeper is an open-source project that extends the capabilities of Open Policy Agent (OPA) by integrating it more deeply into Kubernetes. While OPA can be used as a generic admission controller, Gatekeeper provides a Kubernetes-native way to manage and enforce policies, making it easier to define, deploy, and audit policies across your Kubernetes clusters. Gatekeeper leverages Kubernetes Custom Resource Definitions (CRDs) to define policies, allowing you to manage OPA policies just like any other Kubernetes resource. This integration also supports Kubernetes-native features such as role-based access control (RBAC), auditing, and versioning. ### **Understanding Gatekeeper’s Architecture** Gatekeeper is built on top of OPA and operates as a Kubernetes admission controller. It introduces two key concepts: * **`ConstraintTemplates`**: Define reusable policy logic (written in Rego) and expose configurable parameters. * **`Constraints`**: Apply the `ConstraintTemplates` to specific resources or namespaces, defining the scope of the policy and any parameters. **Gatekeeper Components:** * **OPA**: The policy engine that evaluates Rego policies. * **Controller**: Manages `ConstraintTemplates`, `Constraints`, and other Gatekeeper resources. * **Admission Webhook**: Intercepts API requests to the Kubernetes API server and sends them to OPA for evaluation based on the applied constraints. ### **Setting Up OPA Gatekeeper in Kubernetes** To start using Gatekeeper, you first need to deploy it in your Kubernetes cluster. The following steps guide you through the installation and basic setup. **Step 1: Install OPA Gatekeeper** Gatekeeper can be installed using Helm or by applying Kubernetes manifests directly. Below is the Helm installation method. **Helm Installation:** ```bash helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace ``` This command installs Gatekeeper in the `gatekeeper-system` namespace. It sets up the necessary components, including the admission controller webhook, the OPA engine, and the Gatekeeper controller. **Step 2: Verify the Installation** After installation, verify that Gatekeeper is running by checking the status of the pods in the `gatekeeper-system` namespace: ```bash kubectl get pods -n gatekeeper-system ``` You should see pods for the Gatekeeper controller and webhook. **Writing and Applying ConstraintTemplates and Constraints** Once Gatekeeper is installed, you can start writing policies using `ConstraintTemplates` and applying them with `Constraints`. **Step 1: Create a `ConstraintTemplate`** A `ConstraintTemplate` defines the reusable logic of a policy, written in Rego, and the parameters that can be configured in individual `Constraints`. **Example `ConstraintTemplate`:** ```yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: openAPIV3Schema: properties: labels: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("You must provide labels: %v", [missing]) } ``` * **Explanation:** * The `kind` defines the custom resource type (`K8sRequiredLabels`) that will be created by this template. * The `rego` block contains the Rego policy that enforces the requirement for specific labels on Kubernetes resources. **Step 2: Apply the `ConstraintTemplate`** Apply the `ConstraintTemplate` to your Kubernetes cluster: ```bash kubectl apply -f k8srequiredlabels_template.yaml ``` This command creates the `K8sRequiredLabels` custom resource in your cluster, making it available for use in `Constraints`. **Step 3: Create a `Constraint`** A `Constraint` applies the logic defined in a `ConstraintTemplate` to specific Kubernetes resources or namespaces. **Example `Constraint`:** ```yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-gatekeeper spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: labels: ["gatekeeper"] ``` * **Explanation:** * The `match` field specifies the resources to which this constraint applies (in this case, `Namespace` resources). * The `parameters` field sets the required labels (in this case, the `gatekeeper` label). **Step 4: Apply the `Constraint`** Apply the `Constraint` to your Kubernetes cluster: ```bash kubectl apply -f ns_must_have_gatekeeper.yaml ``` Now, any attempt to create or update a `Namespace` without the `gatekeeper` label will be denied. ### **Common Policies for Kubernetes Security and Compliance** Gatekeeper can enforce a wide range of policies to enhance the security and compliance of your Kubernetes clusters. Here are some common examples: * **Enforcing Resource Limits:** * Ensure that all containers have CPU and memory limits defined. * **Restricting Privileged Containers:** * Prevent the creation of pods that run with elevated privileges. * **Validating Image Sources:** * Only allow containers to use images from approved registries. * **Enforcing Namespace Quotas:** * Ensure that each namespace adheres to specific resource quotas. **Example: Enforcing Resource Limits** Create a `ConstraintTemplate` to enforce resource limits on containers: ```yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8srequiredresources spec: crd: spec: names: kind: K8sRequiredResources targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredresources violation[{"msg": msg}] { input.review.object.spec.containers[_].resources.limits == {} msg := "Containers must have resource limits defined." } ``` Apply the template and create a `Constraint` to enforce this policy on all pods: ```yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: require-resource-limits spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] ``` Apply these resources to your cluster, and any pod without resource limits will be denied. **Auditing and Monitoring Gatekeeper Policies** Gatekeeper not only enforces policies during admission but can also audit existing resources against those policies. This helps identify any violations in your current Kubernetes state. **Enable Auditing:** Gatekeeper automatically audits resources periodically. You can view audit results using the following command: ```bash kubectl get constrainttemplate.status.auditResults ``` **Monitoring and Alerts:** Integrate Gatekeeper with monitoring and alerting tools like Prometheus and Grafana to track policy enforcement and violations. This provides visibility into your cluster’s compliance status and helps in proactive management. ### **Best Practices for Using Gatekeeper** When using Gatekeeper in your Kubernetes environment, consider the following best practices: * **Start with Dry-Run Mode**: Test new policies in dry-run mode to see how they would affect resources without enforcing them. * **Use Namespaces for Scope**: Apply different policies to different namespaces, allowing for more granular control and avoiding disruptions in critical environments. * **Version Control and CI/CD**: Store your `ConstraintTemplates` and `Constraints` in version control and use CI/CD pipelines to manage their deployment and updates. * **Regular Audits**: Regularly audit your Kubernetes resources to ensure ongoing compliance with your policies. ### **Summary** In this lesson, you learned how to use OPA Gatekeeper to enforce policies in Kubernetes clusters. You explored how to write `ConstraintTemplates` and `Constraints`, apply them to your cluster, and monitor policy compliance. Gatekeeper simplifies policy management in Kubernetes by providing a Kubernetes-native way to define, apply, and audit policies.