3. Install OPA
TUF & Notary
Gatekeeper project uses Admission Controller and "OPA constraint framework" (CRD). It enables users to customize admission control by configuration not by code. It enforces policies executed by OPA
Gatekeeper is extensible, parameterized policy library. constraint CRD instantiate the policy library. constraint template CRD extend the policy library.
- Each Constraint is written with Rego, a declarative query language used by OPA. All Constraints are evaluated as a logical AND. If one Constraint is not satisfied, then the whole request is rejected.
- Each constraint template describes both (1) the Rego logic that enforces the Constraint and (2) the schema for the Constraint, which includes (2.1) the schema of the CRD and (2.2) the parameters that can be passed into a Constraint, much like arguments to a function.
- No namespace for constraint template. No namespace for constraint.
The audit functionality enables periodic evaluations of replicated resources. It evaluates against the Constraints. So it detects pre-existing misconfigurations. Gatekeeper stores audit results as violations listed in the status field of the relevant Constraint.
k get constraints "name of constraint" -o yaml
check status field here
- In k8s, OPA replaces PSP. OPA is also used for Envoy Proxy, SSH and sudo
- Gatekeeper is validation webhook + audit + CRD based policy and OPA is policy engine.
- failurePolicy: Ignore means if webhook is down, then constraint will not be apply. Later on, audit shall determine such events.
Use cases
- Validating
- Require specific labels on all resources. E.g. All namespaces must have a label that lists a point-of-contact
- Require container images come from the corporate image registry. (here, no error shown for deployment creation, not at at pod, not at rs. number of pod=0. when you describe deployment and rs, you will see error in rs creation. No, you can also see error at status of constraint. It is only for existing pods)
- Require all Pods specify resource requests and limits.
- Prevent conflicting Ingress objects from being created. E.g. All ingress hostnames must be globally unique
- No run as root
- No privileged container
- Mutating
- Inject sidecar containers into Pods.
- Set specific annotations on all resources.
- Rewrite container images to point at the corporate image registry.
- Include node and pod (anti-)affinity selectors on Deployments.
- input.request.kind specifies the type of the object (e.g., Pod, Service, etc.)
- input.request.operation specifies the type of the operation, i.e., CREATE, UPDATE, DELETE, CONNECT.
- input.request.userInfo specifies the identity of the caller.
- input.request.object contains the entire Kubernetes object.
- input.request.oldObject specifies the previous version of the Kubernetes object on UPDATE and DELETE
- We can use "review" instead of "request" in above path.
When we define constraint, we mention, to whom it applies using "match". The match field supports following matches : kind, namespaces, excludedNamespaces, labelSelector, namespaceSelector and scope.
We can set enforcementAction: dryrun at constraint
Related Tools
1. conftest It can be used in CICD pipelineKyverno is alternative for gatekeeper.
Reference:
https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/
Sample Constraints https://github.com/open-policy-agent/gatekeeper/tree/master/demo/agilebank/templates and https://github.com/open-policy-agent/gatekeeper/tree/master/demo/basic/templates
0 comments:
Post a Comment