Skip to content

Policies

Policies are defined as package of constraint(s) and user can deploy this policy to the clusters. A policy can contain one or more constraint(s) and multiple policies can be created with different constraints as per the requirement.


Create New Policy

Perform the below steps to create a new policy:

  • Login to the Controller and select Policies under the OPA Gatekeeper. Users can view the list of existing policies on the Policies main page
  • Click New Policy
  • Provide a name for the policy and click Create

OPA New Policy

Policy New Version

Perform the below steps in the New Version page

  • Provide a version name

Constraints List

  • Click Add Constraint to add one or more constraints to this policy

Constraints List

Excluded Namespaces and Process

Users are allowed to exclude the namespace(s) and process associated with the selected namespace from evaluation

  • Click Add Namespace to exclude one or more namespace(s) from evaluation
  • Click Add Process to exclude one or more process(s)

Exlcude Namespace and Process

Sync Objects

Sync Objects allows to sync data into OPA. Kubernetes data can be replicated into OPA via the sync config resource.

  • Click Add Sync Object to add group, version and kind

Add Sync Objects

Installation Parameters

Users can enable/disable the below audit parameters to the policy, if required

  • Set the Audit interval and Constraint Violation Limit. This audit functionality enables periodic evaluations of replicated resources against the policies enforced in the cluster to detect pre-existing misconfigurations. Audit results are stored as violations listed in the status field of the failed constraint. The default value of Audit Interval is 60 seconds and Constraint Violation Limit is 20

  • By default, the audit request each resource from the Kubernetes API during each cycle of the audit. Enable Audit from Cache instead to rely on OPA cache

Note: This requires replication of Kubernetes resources into OPA before they can be evaluated against the enforced policies

  • If all of the constraints match against specific kinds (example: match only pods), enable Audit Match KindOnly to speed up audit runs

  • A few non-compliant deletes may happen despite the policy. Enable Enable Delete Operations to audit the non-compliant deletes performed through Gatekeeper's

Installation Parameters

  • Click Save Changes

On successful policy creation, users can view the new policy details available with different versions

Policy Versions