Managing Policies on Kubernetes using OPA Gatekeeper

As customers scale up their Kubernetes (K8s) environments by adding more clusters and applications, it becomes critical to solve for a consistent, repeatable process to enforce policies and strengthen governance without sacrificing development agility. The OPA Gatekeeper project was conceptualized to provide the necessary tooling to help address this problem. It is important to note that the targeted outcomes usually relate to both security posture (e.g., images must be from approved repositories) and operational efficiencies (e.g., pod quotas). As a result, leveraging OPA Gatekeeper typically involves numerous stakeholders across an enterprise such as application owners, Platform/Ops/SRE teams, and security/compliance administrators.

What is Open Policy Agent (OPA)?

Open Policy Agent (OPA) is a general-purpose policy engine and is a CNCF graduated open source project. OPA provides a high-level declarative language (Rego) that allows specification of policy as code and can be used to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

What is OPA Gatekeeper?

Gatekeeper provides first-class integration with OPA and Kubernetes. It utilizes the OPA policy engine and leverages the Kubernetes admission controller to intercept admission requests before they are persisted as objects in K8s.

How does OPA Gatekeeper work?

Once the Gatekeeper components have been installed in a cluster, the API server will trigger the Gatekeeper admission webhook to process the admission request whenever a resource in the cluster is created, updated, or deleted. During this process, Gatekeeper acts as a bridge between the API server and OPA. The API server will enforce all policies executed by OPA.

Every Gatekeeper policy consists of two manifests, a Constraint Template and a Constraint.

• A Constraint Template describes both the Rego that enforces the Constraint and the schema of the Constraint.
• Constraints are then used to inform Gatekeeper that the admin wants a Constraint Template to be enforced, and how. Constraint spec is also used to select the enforcement action (Deny, Warn or Dry Run). By default, it is set to Deny, meaning any admission requests that result in violations are denied.

Gatekeeper also has an Audit feature that runs at a regular, configurable interval to evaluate already deployed Kubernetes resources against Constraints to detect any pre-existing misconfigurations. The Audit results are stored as violations within the Constraint resources themselves.

The official OPA Gatekeeper Library includes samples of Constraint Templates and Constraints that can be used as a baseline.

OPA Gatekeeper Lifecycle in Customer Environments

The operational burden in defining and enforcing OPA Gatekeeper policies and remediating violations across a cluster or two can be handled manually but doing so at scale across many clusters is a daunting exercise.

Addressing the challenges around maintaining a consistent policy configuration and surfacing up violations in a user-friendly manner would require an ongoing investment by enterprises to build and sustain tooling for this specific purpose. Rafay’s Kubernetes Management Platform not only removes the need for such investment but also offers additional benefits that go significantly above and beyond to enable a broad set of services to make life easy for Platform/SRE teams.

Rafay’s Policy Management Service – one of six services on the platform – centralizes both the configuration and ongoing operations required for creating, tuning and managing Gatekeeper policies for the entire fleet of clusters significantly reducing operational complexity. It also provides a comprehensive view of all policy metrics, violations and audits in a centralized dashboard by clusters, environments and teams.

Enforcement of policies configured through OPA Gatekeeper is only one piece of the puzzle from a security and governance standpoint. Rafay allows this to be weaved together with other controls (e.g., requirement of software add-ons, backup and restore) through a cluster blueprinting capability helping customers standardize definition and enforcement of their compliance requirements from a single platform. Rafay’s breadth of services thus allow customers to avoid the problem of ‘yet another vendor and console’.

In Part II of this blog, we will describe how the OPA Gatekeeper lifecycle can be managed through Rafay’s Kubernetes Operations Platform. We will also expand on how it intersects with some of the other security and governance controls offered by the platform.

Want to try this yourself? Sign up for a free trial of the Kubernetes Operations Platform today.