Install OPA Gatekeeper¶
The installation of OPA Gatekeeper is achieved simply by updating the MKE configuration file.
Obtain the current MKE configuration file for your cluster.
Set the
cluster_config.policy_enforcement.gatekeeper.enabled
configuration parameter to"true"
. For more information on Gatekeeper configuration options, refer to cluster_config.policy_enforcement.gatekeeper.Optional. Exclude resources that are contained in a specified set of namespaces by assigning a comma-separated list of namespaces to the
cluster_config.policy_enforcement.gatekeeper.excluded_namespaces
configuration parameter.Caution
Avoid adding namespaces to the
excluded_namespaces
list that do not yet exist in the cluster.Upload the newly modified MKE configuration file. Be aware that the upload requires a wait time of approximately five minutes.
Verify the successful installation of Gatekeeper by running the following commands in sequence:
Verify that the
gatekeeper-system
namespace was created:kubectl get ns gatekeeper-system
Expected output:
NAME STATUS AGE gatekeeper-system Active 1m
Verify the contents of the
gatekeeper-system
deployment:kubectl get deployment -n gatekeeper-system
Expected output:
NAME READY UP-TO-DATE AVAILABLE AGE gatekeeper-audit 1/1 1 1 1m gatekeeper-controller-manager 3/3 3 3 1m
Verify that
gatekeeper-webhook-service
was created:kubectl get service -n gatekeeper-system
Expected output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE gatekeeper-webhook-service ClusterIP 10.96.143.125 <none> 443/TCP 1m
Verify that the correct CustomResourceDefinitions were created:
kubectl get crd
Expected output:
NAME CREATED AT assign.mutations.gatekeeper.sh 2022-08-01T06:25:12Z assignmetadata.mutations.gatekeeper.sh 2022-08-01T06:25:12Z configs.config.gatekeeper.sh 2022-08-01T06:25:12Z constraintpodstatuses.status.gatekeeper.sh 2022-08-01T06:25:12Z constrainttemplatepodstatuses.status.gatekeeper.sh 2022-08-01T06:25:12Z constrainttemplates.templates.gatekeeper.sh 2022-08-01T06:25:12Z modifyset.mutations.gatekeeper.sh 2022-08-01T06:25:12Z mutatorpodstatuses.status.gatekeeper.sh 2022-08-01T06:25:12Z providers.externaldata.gatekeeper.sh 2022-08-01T06:25:12Z
Verify exempted namespaces, if applicable:
kubectl describe ns kube-system gatekeeper-system
Expected output:
Name: kube-system Labels: admission.gatekeeper.sh/ignore=exempted-by-mke kubernetes.io/metadata.name=kube-system Annotations: <none> Status: Active No resource quota. No LimitRange resource. Name: gatekeeper-system Labels: admission.gatekeeper.sh/ignore=no-self-managing control-plane=controller-manager gatekeeper.sh/system=yes kubernetes.io/metadata.name=gatekeeper-system Annotations: <none> Status: Active Resource Quotas Name: gatekeeper-critical-pods Resource Used Hard -------- --- --- pods 4 100 No LimitRange resource.