{"id":9707,"date":"2019-08-06T19:00:02","date_gmt":"2019-08-06T19:00:02","guid":{"rendered":"http:\/\/howk.de\/w1\/blog-opa-gatekeeper-policy-and-governance-for-kubernetes\/"},"modified":"2019-08-06T19:00:02","modified_gmt":"2019-08-06T19:00:02","slug":"blog-opa-gatekeeper-policy-and-governance-for-kubernetes","status":"publish","type":"post","link":"https:\/\/howk.de\/?p=9707","title":{"rendered":"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes"},"content":{"rendered":"<p><strong>Authors:<\/strong> Rita Zhang (Microsoft), Max Smythe (Google), Craig Hooper (Commonwealth Bank AU), Tim Hinrichs (Styra), Lachie Evenson (Microsoft), Torin Sandall (Styra)<\/p>\n<p>The <a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\" target=\"_blank\">Open Policy Agent Gatekeeper<\/a> project can be leveraged to help enforce policies and strengthen governance in your Kubernetes environment. In this post, we will walk through the goals, history, and current state of the project.<\/p>\n<p>The following recordings from the Kubecon EU 2019 sessions are a great starting place in working with Gatekeeper:<\/p>\n<ul>\n<li><a href=\"https:\/\/youtu.be\/Yup1FUc2Qn0\" target=\"_blank\">Intro: Open Policy Agent Gatekeeper<\/a><\/li>\n<li><a href=\"https:\/\/youtu.be\/n94_FNhuzy4\" target=\"_blank\">Deep Dive: Open Policy Agent<\/a><\/li>\n<\/ul>\n<h2 id=\"motivations\">Motivations<\/h2>\n<p>If your organization has been operating Kubernetes, you probably have been looking for ways to control what end-users can do on the cluster and ways to ensure that clusters are in compliance with company policies. These policies may be there to meet governance and legal requirements or to enforce best practices and organizational conventions. With Kubernetes, how do you ensure compliance without sacrificing development agility and operational independence?<\/p>\n<p>For example, you can enforce policies like:<\/p>\n<ul>\n<li>All images must be from approved repositories<\/li>\n<li>All ingress hostnames must be globally unique<\/li>\n<li>All pods must have resource limits<\/li>\n<li>All namespaces must have a label that lists a point-of-contact<\/li>\n<\/ul>\n<p>Kubernetes allows decoupling policy decisions from the API server by means of <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/extensible-admission-controllers\/\" target=\"_blank\">admission controller webhooks<\/a> to intercept admission requests before they are persisted as objects in Kubernetes. <a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\" target=\"_blank\">Gatekeeper<\/a> was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster\u2019s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the <a href=\"https:\/\/www.openpolicyagent.org\" target=\"_blank\">Open Policy Agent (OPA)<\/a>, a policy engine for Cloud Native environments hosted by CNCF.<\/p>\n<h2 id=\"evolution\">Evolution<\/h2>\n<p>Before we dive into the current state of Gatekeeper, let\u2019s take a look at how the Gatekeeper project has evolved.<\/p>\n<ul>\n<li>Gatekeeper v1.0 &#8211; Uses OPA as the admission controller with the kube-mgmt sidecar enforcing configmap-based policies. It provides validating and mutating admission control. Donated by Styra.<\/li>\n<li>Gatekeeper v2.0 &#8211; Uses Kubernetes policy controller as the admission controller with OPA and kube-mgmt sidecars enforcing configmap-based policies. It provides validating and mutating admission control and audit functionality. Donated by Microsoft.\n<ul>\n<li>Gatekeeper v3.0 &#8211; The admission controller is integrated with the <a href=\"https:\/\/github.com\/open-policy-agent\/frameworks\/tree\/master\/constraint\" target=\"_blank\">OPA Constraint Framework<\/a> to enforce CRD-based policies and allow declaratively configured policies to be reliably shareable. Built with kubebuilder, it provides validating and, eventually, mutating (to be implemented) admission control and audit functionality. This enables the creation of policy templates for <a href=\"https:\/\/www.openpolicyagent.org\/docs\/latest\/how-do-i-write-policies\/\" target=\"_blank\">Rego<\/a> policies, creation of policies as CRDs, and storage of audit results on policy CRDs. This project is a collaboration between Google, Microsoft, Red Hat, and Styra.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/kubernetes.io\/images\/blog\/2019-08-06-opa-gatekeeper\/v3.png\" alt=\"\" \/><\/p>\n<h2 id=\"gatekeeper-v3-0-features\">Gatekeeper v3.0 Features<\/h2>\n<p>Now let\u2019s take a closer look at the current state of Gatekeeper and how you can leverage all the latest features. Consider an organization that wants to ensure all objects in a cluster have departmental information provided as part of the object\u2019s labels. How can you do this with Gatekeeper?<\/p>\n<h3 id=\"validating-admission-control\">Validating Admission Control<\/h3>\n<p>Once all the Gatekeeper components have been <a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\" target=\"_blank\">installed<\/a> in your cluster, the API server will trigger the Gatekeeper admission webhook to process the admission request whenever a resource in the cluster is created, updated, or deleted.<\/p>\n<p>During the validation process, Gatekeeper acts as a bridge between the API server and OPA. The API server will enforce all policies executed by OPA.<\/p>\n<h3 id=\"policies-and-constraints\">Policies and Constraints<\/h3>\n<p>With the integration of the OPA Constraint Framework, a Constraint is a declaration that its author wants a system to meet a given set of requirements. Each Constraint is written with Rego, a declarative query language used by OPA to enumerate instances of data that violate the expected state of the system. All Constraints are evaluated as a logical AND. If one Constraint is not satisfied, then the whole request is rejected.<\/p>\n<p>Before defining a Constraint, you need to create a Constraint Template that allows people to declare new Constraints. Each template describes both the Rego logic that enforces the Constraint and the schema for the Constraint, which includes the schema of the CRD and the parameters that can be passed into a Constraint, much like arguments to a function.<\/p>\n<p>For example, here is a Constraint template CRD that requires certain labels to be present on an arbitrary object.<\/p>\n<div class=\"highlight\">\n<pre style=\"background-color:#f8f8f8\"><code class=\"language-yaml\" data-lang=\"yaml\">apiVersion:<span style=\"color:#bbb\"> <\/span>templates.gatekeeper.sh\/v1beta1<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>kind:<span style=\"color:#bbb\"> <\/span>ConstraintTemplate<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>metadata:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>k8srequiredlabels<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>spec:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>crd:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>spec:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>names:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kind:<span style=\"color:#bbb\"> <\/span>K8sRequiredLabels<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>listKind:<span style=\"color:#bbb\"> <\/span>K8sRequiredLabelsList<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>plural:<span style=\"color:#bbb\"> <\/span>k8srequiredlabels<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>singular:<span style=\"color:#bbb\"> <\/span>k8srequiredlabels<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>validation:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span><span style=\"color:#080;font-style:italic\"># Schema for the `parameters` field<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>openAPIV3Schema:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>properties:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>labels:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>type:<span style=\"color:#bbb\"> <\/span>array<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>items:<span style=\"color:#bbb\"> <\/span>string<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>targets:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>target:<span style=\"color:#bbb\"> <\/span>admission.k8s.gatekeeper.sh<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>rego:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44;font-style:italic\">|\n<\/span><span style=\"color:#b44;font-style:italic\"> package k8srequiredlabels\n<\/span><span style=\"color:#b44;font-style:italic\">\n<\/span><span style=\"color:#b44;font-style:italic\"> deny[{&#034;msg&#034;: msg, &#034;details&#034;: {&#034;missing_labels&#034;: missing}}] {\n<\/span><span style=\"color:#b44;font-style:italic\"> provided := {label | input.review.object.metadata.labels[label]}\n<\/span><span style=\"color:#b44;font-style:italic\"> required := {label | label := input.parameters.labels[_]}\n<\/span><span style=\"color:#b44;font-style:italic\"> missing := required - provided\n<\/span><span style=\"color:#b44;font-style:italic\"> count(missing) &gt; 0\n<\/span><span style=\"color:#b44;font-style:italic\"> msg := sprintf(&#034;you must provide labels: %v&#034;, [missing])\n<\/span><span style=\"color:#b44;font-style:italic\"> }<\/span><\/code><\/pre>\n<\/div>\n<p>Once a Constraint template has been deployed in the cluster, an admin can now create individual Constraint CRDs as defined by the Constraint template. For example, here is a Constraint CRD that requires the label <code>hr<\/code> to be present on all namespaces.<\/p>\n<div class=\"highlight\">\n<pre style=\"background-color:#f8f8f8\"><code class=\"language-yaml\" data-lang=\"yaml\">apiVersion:<span style=\"color:#bbb\"> <\/span>constraints.gatekeeper.sh\/v1beta1<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>kind:<span style=\"color:#bbb\"> <\/span>K8sRequiredLabels<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>metadata:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>ns-must-have-hr<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>spec:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>match:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kinds:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>apiGroups:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;&#034;<\/span>]<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kinds:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;Namespace&#034;<\/span>]<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>parameters:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>labels:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;hr&#034;<\/span>]<\/code><\/pre>\n<\/div>\n<p>Similarly, another Constraint CRD that requires the label <code>finance<\/code> to be present on all namespaces can easily be created from the same Constraint template.<\/p>\n<div class=\"highlight\">\n<pre style=\"background-color:#f8f8f8\"><code class=\"language-yaml\" data-lang=\"yaml\">apiVersion:<span style=\"color:#bbb\"> <\/span>constraints.gatekeeper.sh\/v1beta1<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>kind:<span style=\"color:#bbb\"> <\/span>K8sRequiredLabels<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>metadata:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>ns-must-have-finance<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>spec:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>match:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kinds:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>apiGroups:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;&#034;<\/span>]<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kinds:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;Namespace&#034;<\/span>]<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>parameters:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>labels:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;finance&#034;<\/span>]<\/code><\/pre>\n<\/div>\n<p>As you can see, with the Constraint framework, we can reliably share Regos via the Constraint templates, define the scope of enforcement with the match field, and provide user-defined parameters to the Constraints to create customized behavior for each Constraint.<\/p>\n<h3 id=\"audit\">Audit<\/h3>\n<p>The audit functionality enables periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect pre-existing misconfigurations. Gatekeeper stores audit results as <code>violations<\/code> listed in the <code>status<\/code> field of the relevant Constraint.<\/p>\n<div class=\"highlight\">\n<pre style=\"background-color:#f8f8f8\"><code class=\"language-yaml\" data-lang=\"yaml\">apiVersion:<span style=\"color:#bbb\"> <\/span>constraints.gatekeeper.sh\/v1beta1<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>kind:<span style=\"color:#bbb\"> <\/span>K8sRequiredLabels<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>metadata:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>ns-must-have-hr<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>spec:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>match:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kinds:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>apiGroups:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;&#034;<\/span>]<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kinds:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;Namespace&#034;<\/span>]<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>parameters:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>labels:<span style=\"color:#bbb\"> <\/span>[<span style=\"color:#b44\">&#034;hr&#034;<\/span>]<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>status:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>auditTimestamp:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;2019-08-06T01:46:13Z&#034;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>byPod:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>enforced:<span style=\"color:#bbb\"> <\/span><span style=\"color:#a2f;font-weight:bold\">true<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>id:<span style=\"color:#bbb\"> <\/span>gatekeeper-controller-manager-<span style=\"color:#666\">0<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>violations:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>enforcementAction:<span style=\"color:#bbb\"> <\/span>deny<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kind:<span style=\"color:#bbb\"> <\/span>Namespace<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>message:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#039;you must provide labels: {&#034;hr&#034;}&#039;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>default<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>enforcementAction:<span style=\"color:#bbb\"> <\/span>deny<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kind:<span style=\"color:#bbb\"> <\/span>Namespace<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>message:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#039;you must provide labels: {&#034;hr&#034;}&#039;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>gatekeeper-system<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>enforcementAction:<span style=\"color:#bbb\"> <\/span>deny<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kind:<span style=\"color:#bbb\"> <\/span>Namespace<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>message:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#039;you must provide labels: {&#034;hr&#034;}&#039;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>kube-public<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>enforcementAction:<span style=\"color:#bbb\"> <\/span>deny<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kind:<span style=\"color:#bbb\"> <\/span>Namespace<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>message:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#039;you must provide labels: {&#034;hr&#034;}&#039;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>kube-system<\/code><\/pre>\n<\/div>\n<h3 id=\"data-replication\">Data Replication<\/h3>\n<p>Audit requires replication of Kubernetes resources into OPA before they can be evaluated against the enforced Constraints. Data replication is also required by Constraints that need access to objects in the cluster other than the object under evaluation. For example, a Constraint that enforces uniqueness of ingress hostname must have access to all other ingresses in the cluster.<\/p>\n<p>To configure Kubernetes data to be replicated, create a sync config resource with the resources to be replicated into OPA. For example, the below configuration replicates all namespace and pod resources to OPA.<\/p>\n<div class=\"highlight\">\n<pre style=\"background-color:#f8f8f8\"><code class=\"language-yaml\" data-lang=\"yaml\">apiVersion:<span style=\"color:#bbb\"> <\/span>config.gatekeeper.sh\/v1alpha1<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>kind:<span style=\"color:#bbb\"> <\/span>Config<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>metadata:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>name:<span style=\"color:#bbb\"> <\/span>config<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>namespace:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;gatekeeper-system&#034;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"><\/span>spec:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>sync:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>syncOnly:<span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>group:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;&#034;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>version:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;v1&#034;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kind:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;Namespace&#034;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>-<span style=\"color:#bbb\"> <\/span>group:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;&#034;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>version:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;v1&#034;<\/span><span style=\"color:#bbb\">\n<\/span><span style=\"color:#bbb\"> <\/span>kind:<span style=\"color:#bbb\"> <\/span><span style=\"color:#b44\">&#034;Pod&#034;<\/span><\/code><\/pre>\n<\/div>\n<h2 id=\"planned-for-future\">Planned for Future<\/h2>\n<p>The community behind the Gatekeeper project will be focusing on providing mutating admission control to support mutation scenarios (for example: annotate objects automatically with departmental information when creating a new resource), support external data to inject context external to the cluster into the admission decisions, support dry run to see impact of a policy on existing resources in the cluster before enforcing it, and more audit functionalities.<\/p>\n<p>If you are interested in learning more about the project, check out the <a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\" target=\"_blank\">Gatekeeper<\/a> repo. If you are interested in helping define the direction of Gatekeeper, join the <a href=\"https:\/\/openpolicyagent.slack.com\/messages\/CDTN970AX\" target=\"_blank\">#kubernetes-policy<\/a> channel on OPA Slack, and join our <a href=\"https:\/\/docs.google.com\/document\/d\/1A1-Q-1OMw3QODs1wT6eqfLTagcGmgzAJAjJihiO3T48\/edit\" target=\"_blank\">weekly meetings<\/a> to discuss development, issues, use cases, etc.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authors: Rita Zhang (Microsoft), Max Smythe (Google), Craig Hooper (Commonwealth Bank AU), Tim Hinrichs (Styra), Lachie Evenson (Microsoft), Torin Sandall (Styra) The Open Policy Agent Gatekeeper project can be leveraged to help enforce policies and strengthen governance in your Kubernetes environment. In this post, we will walk through the goals, history, and current state of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.9.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Blog: OPA Gatekeeper: Policy and Governance for Kubernetes - Howk IT-Dienstleistungen<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/howk.de\/?p=9707\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes - Howk IT-Dienstleistungen\" \/>\n<meta property=\"og:description\" content=\"Authors: Rita Zhang (Microsoft), Max Smythe (Google), Craig Hooper (Commonwealth Bank AU), Tim Hinrichs (Styra), Lachie Evenson (Microsoft), Torin Sandall (Styra) The Open Policy Agent Gatekeeper project can be leveraged to help enforce policies and strengthen governance in your Kubernetes environment. In this post, we will walk through the goals, history, and current state of [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/howk.de\/?p=9707\" \/>\n<meta property=\"og:site_name\" content=\"Howk IT-Dienstleistungen\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/howk.de\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-06T19:00:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/kubernetes.io\/images\/blog\/2019-08-06-opa-gatekeeper\/v3.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/howk.de\/?p=9707#article\",\"isPartOf\":{\"@id\":\"https:\/\/howk.de\/?p=9707\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/howk.de\/#\/schema\/person\/b029bd02d4f35dce869ef54c81a100c5\"},\"headline\":\"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes\",\"datePublished\":\"2019-08-06T19:00:02+00:00\",\"dateModified\":\"2019-08-06T19:00:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/howk.de\/?p=9707\"},\"wordCount\":1061,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/howk.de\/#organization\"},\"articleSection\":[\"Hi Tech\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/howk.de\/?p=9707#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/howk.de\/?p=9707\",\"url\":\"https:\/\/howk.de\/?p=9707\",\"name\":\"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes - Howk IT-Dienstleistungen\",\"isPartOf\":{\"@id\":\"https:\/\/howk.de\/#website\"},\"datePublished\":\"2019-08-06T19:00:02+00:00\",\"dateModified\":\"2019-08-06T19:00:02+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/howk.de\/?p=9707#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/howk.de\/?p=9707\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/howk.de\/?p=9707#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/howk.de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/howk.de\/#website\",\"url\":\"https:\/\/howk.de\/\",\"name\":\"Howk IT-Dienstleistungen\",\"description\":\"Howk IT Services - Howk IT-Dienstleistungen\",\"publisher\":{\"@id\":\"https:\/\/howk.de\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/howk.de\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/howk.de\/#organization\",\"name\":\"HowK\",\"url\":\"https:\/\/howk.de\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/howk.de\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/howk.de\/w1\/wp-content\/uploads\/2013\/12\/howk-logo.png\",\"contentUrl\":\"https:\/\/howk.de\/w1\/wp-content\/uploads\/2013\/12\/howk-logo.png\",\"width\":170,\"height\":170,\"caption\":\"HowK\"},\"image\":{\"@id\":\"https:\/\/howk.de\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/howk.de\",\"http:\/\/de.linkedin.com\/in\/howkde\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/howk.de\/#\/schema\/person\/b029bd02d4f35dce869ef54c81a100c5\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/howk.de\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b5a20f4d07bca1b73f25cff58a1116c4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b5a20f4d07bca1b73f25cff58a1116c4?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"url\":\"https:\/\/howk.de\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes - Howk IT-Dienstleistungen","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/howk.de\/?p=9707","og_locale":"en_US","og_type":"article","og_title":"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes - Howk IT-Dienstleistungen","og_description":"Authors: Rita Zhang (Microsoft), Max Smythe (Google), Craig Hooper (Commonwealth Bank AU), Tim Hinrichs (Styra), Lachie Evenson (Microsoft), Torin Sandall (Styra) The Open Policy Agent Gatekeeper project can be leveraged to help enforce policies and strengthen governance in your Kubernetes environment. In this post, we will walk through the goals, history, and current state of [&hellip;]","og_url":"https:\/\/howk.de\/?p=9707","og_site_name":"Howk IT-Dienstleistungen","article_publisher":"https:\/\/www.facebook.com\/howk.de","article_published_time":"2019-08-06T19:00:02+00:00","og_image":[{"url":"https:\/\/kubernetes.io\/images\/blog\/2019-08-06-opa-gatekeeper\/v3.png"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/howk.de\/?p=9707#article","isPartOf":{"@id":"https:\/\/howk.de\/?p=9707"},"author":{"name":"admin","@id":"https:\/\/howk.de\/#\/schema\/person\/b029bd02d4f35dce869ef54c81a100c5"},"headline":"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes","datePublished":"2019-08-06T19:00:02+00:00","dateModified":"2019-08-06T19:00:02+00:00","mainEntityOfPage":{"@id":"https:\/\/howk.de\/?p=9707"},"wordCount":1061,"commentCount":0,"publisher":{"@id":"https:\/\/howk.de\/#organization"},"articleSection":["Hi Tech"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/howk.de\/?p=9707#respond"]}]},{"@type":"WebPage","@id":"https:\/\/howk.de\/?p=9707","url":"https:\/\/howk.de\/?p=9707","name":"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes - Howk IT-Dienstleistungen","isPartOf":{"@id":"https:\/\/howk.de\/#website"},"datePublished":"2019-08-06T19:00:02+00:00","dateModified":"2019-08-06T19:00:02+00:00","breadcrumb":{"@id":"https:\/\/howk.de\/?p=9707#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/howk.de\/?p=9707"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/howk.de\/?p=9707#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/howk.de\/"},{"@type":"ListItem","position":2,"name":"Blog: OPA Gatekeeper: Policy and Governance for Kubernetes"}]},{"@type":"WebSite","@id":"https:\/\/howk.de\/#website","url":"https:\/\/howk.de\/","name":"Howk IT-Dienstleistungen","description":"Howk IT Services - Howk IT-Dienstleistungen","publisher":{"@id":"https:\/\/howk.de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/howk.de\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/howk.de\/#organization","name":"HowK","url":"https:\/\/howk.de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/howk.de\/#\/schema\/logo\/image\/","url":"https:\/\/howk.de\/w1\/wp-content\/uploads\/2013\/12\/howk-logo.png","contentUrl":"https:\/\/howk.de\/w1\/wp-content\/uploads\/2013\/12\/howk-logo.png","width":170,"height":170,"caption":"HowK"},"image":{"@id":"https:\/\/howk.de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/howk.de","http:\/\/de.linkedin.com\/in\/howkde"]},{"@type":"Person","@id":"https:\/\/howk.de\/#\/schema\/person\/b029bd02d4f35dce869ef54c81a100c5","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/howk.de\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b5a20f4d07bca1b73f25cff58a1116c4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b5a20f4d07bca1b73f25cff58a1116c4?s=96&d=mm&r=g","caption":"admin"},"url":"https:\/\/howk.de\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/howk.de\/index.php?rest_route=\/wp\/v2\/posts\/9707"}],"collection":[{"href":"https:\/\/howk.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/howk.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/howk.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/howk.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9707"}],"version-history":[{"count":0,"href":"https:\/\/howk.de\/index.php?rest_route=\/wp\/v2\/posts\/9707\/revisions"}],"wp:attachment":[{"href":"https:\/\/howk.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/howk.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/howk.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}