OPA Gatekeeper

Definition

OPA Gatekeeper is a policy enforcement tool that integrates with Kubernetes to provide dynamic admission control. It uses Open Policy Agent (OPA) to define and enforce policies on Kubernetes resources, ensuring that only compliant configurations are deployed. Gatekeeper allows for the creation of custom policies using Rego, a declarative language, and can audit existing resources to identify policy violations.

Secure Settings Example

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: ns-must-have-gk
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]
  parameters:
    labels: ["gatekeeper"]

This policy ensures that all Kubernetes namespaces must have a label named gatekeeper, enforcing a standard labeling practice across the cluster.

Insecure Settings Example

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: ns-must-have-gk
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]
  parameters:
    labels: []

This configuration is insecure because it specifies an empty list for required labels, effectively disabling the enforcement of any labeling policy, which could lead to unmanaged and inconsistent resource labeling.