Gatekeeper Page

Gatekeeper



Don't Return to Gatekeeping and Limited Hangouts

Gatekeeper is a powerful, open-source policy management system for Kubernetes built on top of the Open Policy Agent (OPA). It enables you to define and enforce policies that govern the behavior and configuration of resources within your Kubernetes clusters, ensuring compliance and security across your deployments.

Key Features



* **Declarative Policy Management:** Gatekeeper allows you to define policies in a declarative manner using the Rego policy language, which is purpose-built for expressing complex policy rules.
* **Custom Resource Definitions (CRDs):** It introduces CRDs like `ConstraintTemplate` and `Constraint` into Kubernetes, providing a native way to define and manage policies.
* **Admission Webhooks:** Gatekeeper acts as a validating admission webhook, intercepting requests to the Kubernetes API server and evaluating them against your defined policies.
* **Audit Functionality:** It can periodically audit your cluster to identify existing resources that violate your policies, enabling proactive compliance enforcement.
* **Extensibility:** Gatekeeper's plugin system allows you to extend its functionality with custom validation logic and integrations with other tools.

Benefits



* **Enhanced Security and Compliance:** Gatekeeper enforces consistent security and compliance standards across your Kubernetes clusters, preventing unauthorized or misconfigured deployments.
* **Centralized Policy Management:** It provides a centralized location for defining and managing policies, ensuring that they are applied consistently across your environment.
* **Declarative Approach:** Gatekeeper's use of the Rego policy language and CRDs makes it easy to define and manage policies in a declarative way, promoting clarity and maintainability.
* **Proactive Enforcement:** Admission webhooks prevent non-compliant resources from being created or modified, ensuring policy adherence from the start.
* **Auditing and Remediation:** The audit functionality helps identify existing resources that violate policies, enabling you to take corrective actions.

Code Examples



1. **ConstraintTemplate Definition:**

```yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels

violation[{"msg": msg}] {
provided := {key | input.review.object.metadata.labels[key]}
required := {key | key := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
```

This ConstraintTemplate defines a policy that requires specific labels to be present on Kubernetes resources.

2. **Constraint Definition:**

```yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-labels-on-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["environment"]
```

This Constraint enforces the "k8srequiredlabels" policy, requiring the "environment" label to be present on all Namespace resources.

Additional Resources



* **Gatekeeper GitHub Repository:** [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
* **Gatekeeper Documentation:** [https://open-policy-agent.github.io/gatekeeper/website/docs/](https://open-policy-agent.github.io/gatekeeper/website/docs/)