OPA Gatekeeper
MKE 4k supports the use of OPA Gatekeeper for purposes of policy control.
Open Policy Agent (OPA) is an open source policy engine that facilitates policy-based control for cloud native environments. OPA introduces a high-level declarative language called Rego that decouples policy decisions from enforcement.
The OPA Constraint Framework introduces the following primary resources:
- Constraint templates - OPA policy definitions, written in Rego.
- Constraints - the application of a constraint template to a given set of objects.
Gatekeeper uses the Kubernetes API to integrate OPA into Kubernetes. Policies are defined in the form of Kubernetes CustomResourceDefinitions (CRDs) and are enforced with custom admission controller webhooks. These CRDs define constraint templates and constraints on the API server. Any time a request to create, delete, or update a resource is sent to the Kubernetes cluster API server, Gatekeeper validates that resource against the predefined policies. Gatekeeper also audits preexisting resource constraint violations against newly defined policies.
Using OPA Gatekeeper, you can enforce a wide range of policies against your Kubernetes cluster. Policy examples include:
- Container images can only be pulled from a set of whitelisted repositories.
- New resources must be appropriately labeled.
- Deployments must specify a minimum number of replicas.
Configuration
To configure OPA Gatekeeper in MKE 4k, set the following fields in the mke4.yaml configuration file:
spec:
policyController:
opaGatekeeper:
enabled: true
exemptNamespaces:
- <Namespace1>
- <Namespace2>The exemptNamespaces field lists the namespaces that are exempt from policy
enforcement. The following namespaces are added by default, and thus cannot be
removed:
kube-systemkube-publickube-node-leasek0s-systemk0s-autopilotflux-systemblueprint-systemmketigera-operatorcalico-systemcalico-apiserver
Upgrade from MKE 3
If OPA Gatekeeper is enabled in MKE 3, the templates, constraints and list of namespaces exempted from policy control are retained through the upgrade process.
Test OPA Gatekeeper
Before proceeding, make sure that OPA Gatekeeper is enabled and the configuration is applied to the cluster.
To check if the OPA Gatekeeper pods have entered the Running state, run:
kubectl get pod -n mkeExample output:
NAME READY STATUS RESTARTS AGE
gatekeeper-audit-56d958d955-v6d7t 1/1 Running 2 (54s ago) 61s
gatekeeper-controller-manager-79c4f4bfc7-8m9nq 1/1 Running 0 61s
gatekeeper-controller-manager-79c4f4bfc7-n66mj 1/1 Running 0 61s
gatekeeper-controller-manager-79c4f4bfc7-v8lx7 1/1 Running 0 61s
...To create constraint templates and constraints from the open source Gatekeeper library, run:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/template.yaml
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/constraint.yamlTo create pods that are disallowed by the newly created policies, run:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/example_disallowed.yamlExample output:
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [psp-allow-privilege-escalation-container] Privilege escalation container is not allowed: nginxMKE version comparison
| MKE 3 | MKE 4k |
|---|---|
| [cluster_config.policy_enforcement.gatekeeper.enabled] | policyController.opaGatekeeper.enabled |
| [cluster_config.policy_enforcement.gatekeeper.excluded_namespaces] | policyController.opaGatekeeper.exemptNamespaces |