Open Policy Agent (OPA) is a general-purpose policy engine used to enforce policies in Kubernetes clusters. OPA helps to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. OPA policies are expressed in a high-level declarative language called Rego.
Gatekeeper is a validating webhook, enforcing CRD-based policies executed by Open Policy Agent(OPA). In addition to "enforcement", Gatekeeper also supports an audit functionality that allows administrators to view the resources that are currently violating policy.
OPA Gatekeeper uses the following CRDs to enforce policies:
- Constraint Templates
Org Admin and Infra Admin roles are allowed to configure and use this feature to enforce the policies on clusters
OPA Gatekeeper Integration¶
OPA Gatekeeper helps administrators define policies and ensure thatk8s resources on a cluster is adhering to those policies. All the Gatekeeper components are consolidated as Gatekeeper-Config with the following parameters:
- Installation parameters: Configurable helm chart values that user can modify (example: auditInterval)
- Config: Namespaces to exclude from evaluation and list of k8s objects to sync for evaluation
- Constraints: List of constraints to be applied to the cluster
To update a policy, user must update the Gatekeeper-Config with the required changes and create a new blueprint version. On successful creation, update the blueprint new version in the cluster.