Install OPA Gatekeeper

Important

If you are currently using Pod Security Policies for policy enforcement, Mirantis recommends that you disable PSPs in MKE prior to installing OPA Gatekeeper.

The installation of OPA Gatekeeper is achieved simply by updating the MKE configuration file.

  1. Obtain the current MKE configuration file for your cluster.

  2. Set the cluster_config.policy_enforcement.gatekeeper.enabled configuration parameter to "true". For more information on Gatekeeper configuration options, refer to cluster_config.policy_enforcement.gatekeeper.

  3. Optional. Exclude resources that are contained in a specified set of namespaces by assigning a comma-separated list of namespaces to the cluster_config.policy_enforcement.gatekeeper.excluded_namespaces configuration parameter.

    Caution

    Avoid adding namespaces to the excluded_namespaces list that do not yet exist in the cluster.

  4. Upload the newly modified MKE configuration file. Be aware that the upload requires a wait time of approximately five minutes.

  5. Verify the successful installation of Gatekeeper by running the following commands in sequence:

    1. Verify that the gatekeeper-system namespace was created:

      kubectl get ns gatekeeper-system
      

      Expected output:

      NAME                STATUS   AGE
      gatekeeper-system   Active   1m
      
    2. Verify the contents of the gatekeeper-system deployment:

      kubectl get deployment -n gatekeeper-system
      

      Expected output:

      NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
      gatekeeper-audit                1/1     1            1           1m
      gatekeeper-controller-manager   3/3     3            3           1m
      
    3. Verify that gatekeeper-webhook-service was created:

      kubectl get service -n gatekeeper-system
      

      Expected output:

      NAME                         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
      gatekeeper-webhook-service   ClusterIP   10.96.143.125   <none>        443/TCP   1m
      
    4. Verify that the correct CustomResourceDefinitions were created:

      kubectl get crd
      

      Expected output:

      NAME                                                 CREATED AT
      assign.mutations.gatekeeper.sh                       2022-08-01T06:25:12Z
      assignmetadata.mutations.gatekeeper.sh               2022-08-01T06:25:12Z
      configs.config.gatekeeper.sh                         2022-08-01T06:25:12Z
      constraintpodstatuses.status.gatekeeper.sh           2022-08-01T06:25:12Z
      constrainttemplatepodstatuses.status.gatekeeper.sh   2022-08-01T06:25:12Z
      constrainttemplates.templates.gatekeeper.sh          2022-08-01T06:25:12Z
      modifyset.mutations.gatekeeper.sh                    2022-08-01T06:25:12Z
      mutatorpodstatuses.status.gatekeeper.sh              2022-08-01T06:25:12Z
      providers.externaldata.gatekeeper.sh                 2022-08-01T06:25:12Z
      
    5. Verify exempted namespaces, if applicable:

      kubectl describe ns kube-system gatekeeper-system
      

      Expected output:

      Name:         kube-system
      Labels:       admission.gatekeeper.sh/ignore=exempted-by-mke
           kubernetes.io/metadata.name=kube-system
      Annotations:  <none>
      Status:       Active
      
      No resource quota.
      
      No LimitRange resource.
      
      
      Name:         gatekeeper-system
      Labels:       admission.gatekeeper.sh/ignore=no-self-managing
                    control-plane=controller-manager
                    gatekeeper.sh/system=yes
                    kubernetes.io/metadata.name=gatekeeper-system
      Annotations:  <none>
      Status:       Active
      
      Resource Quotas
        Name:     gatekeeper-critical-pods
        Resource  Used  Hard
        --------  ---   ---
        pods      4     100
      
      No LimitRange resource.