Deploy OPA Gatekeeper¶
Open Policy Agent (OPA) is an open source policy engine that facilitates policy-based control for cloud native environments. OPA introduces a high-level declarative language called Rego that decouples policy decisions from enforcement.
The OPA Constraint Framework introduces two primary resources: constraint templates and constraints.
- Constraint templates
OPA policy definitions, written in Rego
The application of a constraint template to a given set of objects
Gatekeeper uses the Kubernetes API to integrate OPA into Kubernetes. Policies are defined in the form of Kubernetes CustomResourceDefinitions (CRDs) and are enforced with custom admission controller webhooks. These CRDs define constraint templates and constraints on the API server. Any time a request to create, delete, or update a resource is sent to the Kubernetes cluster API server, Gatekeeper validates that resource against the predefined policies. Gatekeeper also audits preexisting resource constraint violations against newly defined policies.
Using OPA Gatekeeper, you can enforce a wide range of policies against your Kubernetes cluster. Policy examples include:
Container images can only be pulled from a set of whitelisted repositories.
New resources must be appropriately labeled.
Deployments must specify a minimum number of replicas.
The following topics offer installation instructions and an example use case.