Deploy OPA Gatekeeper

Open Policy Agent (OPA) is an open source policy engine that facilitates policy-based control for cloud native environments. OPA introduces a high-level declarative language called Rego that decouples policy decisions from enforcement.

The OPA Constraint Framework introduces two primary resources: constraint templates and constraints.

Constraint templates

OPA policy definitions, written in Rego

Constraints

The application of a constraint template to a given set of objects

Gatekeeper uses the Kubernetes API to integrate OPA into Kubernetes. Policies are defined in the form of Kubernetes CustomResourceDefinitions (CRDs) and are enforced with custom admission controller webhooks. These CRDs define constraint templates and constraints on the API server. Any time a request to create, delete, or update a resource is sent to the Kubernetes cluster API server, Gatekeeper validates that resource against the predefined policies. Gatekeeper also audits preexisting resource constraint violations against newly defined policies.

Using OPA Gatekeeper, you can enforce a wide range of policies against your Kubernetes cluster. Policy examples include:

  • Container images can only be pulled from a set of whitelisted repositories.

  • New resources must be appropriately labeled.

  • Deployments must specify a minimum number of replicas.

Note

By design, when the OPA Gatekeeper is disabled using the configuration file, the policies are not cleaned up. Thus, when the OPA Gatekeeper is re-enabled, the cluster can immediately adopt the existing policies.

The retention of the policies poses no risk, as they are merely data on the API server and have no value outside of an OPA Gatekeeper deployment.

The following topics offer installation instructions and an example use case.