Introduction
Goals
Every organization has policies. Some are essential to meet governance and legal requirements. Others help ensure adherence to best practices and institutional conventions. Attempting to ensure compliance manually would be error-prone and frustrating. Automating policy enforcement ensures consistency, lowers development latency through immediate feedback, and helps with agility by allowing developers to operate independently without sacrificing compliance.
Kubernetes allows decoupling policy decisions from the inner workings of the API Server by means of admission controller webhooks, which are executed whenever a resource is created, updated or deleted. Gatekeeper is a validating and mutating webhook that enforces CRD-based policies executed by Open Policy Agent, a policy engine for Cloud Native environments hosted by CNCF as a graduated project.
In addition to the admission scenario, Gatekeeper's audit functionality allows administrators to see what resources are currently violating any given policy.
Finally, Gatekeeper's engine is designed to be portable, allowing administrators to detect and reject non-compliant commits to an infrastructure-as-code system's source-of-truth, further strengthening compliance efforts and preventing bad state from slowing down the organization.
Validation and mutation
Gatekeeper supports both validation and mutation, but they are configured with different policy resources and have different effects:
| Area | Policy resources | Effect |
|---|---|---|
| Validation | ConstraintTemplate and Constraint resources | Evaluates resources and can deny, warn, dry-run, audit, or report violations without changing the resource. |
| Mutation | AssignMetadata, Assign, ModifySet, and AssignImage mutator resources | Changes matching resources during admission before validation evaluates the final object. |
Some concepts apply to both areas, such as match criteria and namespace exclusions. Other concepts are specific to validation constraints, including enforcementAction, audit results, and violation status.
Looking for sample policies?
Please visit Gatekeeper policy library to find a collection of sample policies.
How is Gatekeeper different from OPA?
Compared to using OPA with its sidecar kube-mgmt (aka Gatekeeper v1.0), Gatekeeper introduces the following functionality:
- An extensible, parameterized policy library
- Native Kubernetes CRDs for instantiating the policy library (aka "constraints")
- Native Kubernetes CRDs for extending the policy library (aka "constraint templates")
- Native Kubernetes CRDs for mutation support
- Audit functionality
- External data support