Install OPA Gatekeeper¶
Important
If you are currently using Pod Security Policies for policy enforcement, Mirantis recommends that you disable PSPs in MKE prior to installing OPA Gatekeeper.
The installation of OPA Gatekeeper is achieved simply by updating the MKE configuration file.
Obtain the current MKE configuration file for your cluster.
Set the
cluster_config.policy_enforcement.gatekeeper.enabledconfiguration parameter to"true". For more information on Gatekeeper configuration options, refer to cluster_config.policy_enforcement.gatekeeper.Optional. Exclude resources that are contained in a specified set of namespaces by assigning a comma-separated list of namespaces to the
cluster_config.policy_enforcement.gatekeeper.excluded_namespacesconfiguration parameter.Caution
Avoid adding namespaces to the
excluded_namespaceslist that do not yet exist in the cluster.Upload the newly modified MKE configuration file. Be aware that the upload requires a wait time of approximately five minutes.
Verify the successful installation of Gatekeeper by running the following commands in sequence:
Verify that the
gatekeeper-systemnamespace was created:kubectl get ns gatekeeper-system
Expected output:
NAME STATUS AGE gatekeeper-system Active 1m
Verify the contents of the
gatekeeper-systemdeployment:kubectl get deployment -n gatekeeper-system
Expected output:
NAME READY UP-TO-DATE AVAILABLE AGE gatekeeper-audit 1/1 1 1 1m gatekeeper-controller-manager 3/3 3 3 1m
Verify that
gatekeeper-webhook-servicewas created:kubectl get service -n gatekeeper-system
Expected output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE gatekeeper-webhook-service ClusterIP 10.96.143.125 <none> 443/TCP 1m
Verify that the correct CustomResourceDefinitions were created:
kubectl get crd
Expected output:
NAME CREATED AT assign.mutations.gatekeeper.sh 2022-08-01T06:25:12Z assignmetadata.mutations.gatekeeper.sh 2022-08-01T06:25:12Z configs.config.gatekeeper.sh 2022-08-01T06:25:12Z constraintpodstatuses.status.gatekeeper.sh 2022-08-01T06:25:12Z constrainttemplatepodstatuses.status.gatekeeper.sh 2022-08-01T06:25:12Z constrainttemplates.templates.gatekeeper.sh 2022-08-01T06:25:12Z modifyset.mutations.gatekeeper.sh 2022-08-01T06:25:12Z mutatorpodstatuses.status.gatekeeper.sh 2022-08-01T06:25:12Z providers.externaldata.gatekeeper.sh 2022-08-01T06:25:12Z
Verify exempted namespaces, if applicable:
kubectl describe ns kube-system gatekeeper-system
Expected output:
Name: kube-system Labels: admission.gatekeeper.sh/ignore=exempted-by-mke kubernetes.io/metadata.name=kube-system Annotations: <none> Status: Active No resource quota. No LimitRange resource. Name: gatekeeper-system Labels: admission.gatekeeper.sh/ignore=no-self-managing control-plane=controller-manager gatekeeper.sh/system=yes kubernetes.io/metadata.name=gatekeeper-system Annotations: <none> Status: Active Resource Quotas Name: gatekeeper-critical-pods Resource Used Hard -------- --- --- pods 4 100 No LimitRange resource.