Deploy OPA Gatekeeper for policy enforcement¶
Mirantis currently supports the use of OPA Gatekeeper for purposes of policy enforcement.
Open Policy Agent (OPA) is an open source policy engine that facilitates policy-based control for cloud native environments. OPA introduces a high-level declarative language called Rego that decouples policy decisions from enforcement.
The OPA Constraint Framework introduces two primary resources: constraint templates and constraints.
- Constraint templates
OPA policy definitions, written in Rego
- Constraints
The application of a constraint template to a given set of objects
Gatekeeper uses the Kubernetes API to integrate OPA into Kubernetes. Policies are defined in the form of Kubernetes CustomResourceDefinitions (CRDs) and are enforced with custom admission controller webhooks. These CRDs define constraint templates and constraints on the API server. Any time a request to create, delete, or update a resource is sent to the Kubernetes cluster API server, Gatekeeper validates that resource against the predefined policies. Gatekeeper also audits preexisting resource constraint violations against newly defined policies.
Using OPA Gatekeeper, you can enforce a wide range of policies against your Kubernetes cluster. Policy examples include:
Container images can only be pulled from a set of whitelisted repositories.
New resources must be appropriately labeled.
Deployments must specify a minimum number of replicas.
Note
By design, when the OPA Gatekeeper is disabled using the configuration file, the policies are not cleaned up. Thus, when the OPA Gatekeeper is re-enabled, the cluster can immediately adopt the existing policies.
The retention of the policies poses no risk, as they are merely data on the API server and have no value outside of an OPA Gatekeeper deployment.
The following topics offer installation instructions and an example use case.
See also