Gatekeeper

Jan 1, 0001

Definition

Gatekeeper is an open-source policy controller for Kubernetes that uses Open Policy Agent (OPA) to enforce policies on Kubernetes resources. It allows administrators to define and manage policies as code, ensuring that all resources comply with organizational security and operational standards before they are deployed. Gatekeeper operates by intercepting admission requests to the Kubernetes API server and evaluating them against predefined policies, rejecting any requests that do not comply.

Secure Settings Example

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels

        violation[{"msg": msg}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {"app", "env"}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("You must provide labels: %v", [missing])
        }

Insecure Settings Example

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels

        violation[{"msg": msg}] {
          # No required labels are specified, allowing any resource to pass
          msg := "No labels required"
        }

Gatekeeper

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter