stackconf online 2021 | Policy-as-code in Kubernetes with Gatekeeper

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Ara Pulido from Datadog talked about „Embracing change: Policy-as-code for Kubernetes with OPA and Gatekeeper“.

What is Kubernetes

Kubernetes is a Container orchestration platform to help you run your containerized applications in production. It provides Role-based Access Control (RBAC) which allows operators to define in a very granular manner which identity is allowed to create or manage which resource. But RBAC does not allow us to control the specification of those resources. So the use of the Open Policy Agent (OPA) Gatekeeper.

What is Open Policy Agent (OPA)

A Policy Rule that governs the behavior of a software service.

The Open Policy Agent (OPA) is an open source project, a policy engine for Cloud Native environments and also a policy engine that can be located with your service. It can be integrated as a sidecar, host-level daemon, or library. On the OPA Website we can find a list of OPA Integrations, use-cases and related projects.

What is Open Policy Agent Gatekeeper

The Open Policy Agent (OPA) Gatekeeper is an admission controller that validates requests to create and update Pods on Kubernetes clusters, using JSON over HTTPS.

Example

In this example, we want to make sure that all labels required by the policy are present in the Kubernetes resource manifest.

To do this, we have to build our Rego query with th help of Gatekeeper. This consists of a package containing a violation definition. The violation defined the input data, the condition to be matched, and a message which gets returned in case of a violation.

This is done by wrapping our query into a ContrainTemplate resource:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
listKind: K8sRequiredLabelsList
plural: k8srequiredlabels
singular: k8srequiredlabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels

violation[{„msg“: msg, „details“: {„missing_labels“: missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required – provided
count(missing) > 0
msg := sprintf(„you must provide labels: %v“, [missing])
}

We not yet defined which label we require our Kubernetes resources to have. We also did not yet define on which Kubernetes resources we like to have this policy applied too. To do this, we have to create another manifest called Constraints:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
– apiGroups: [„“]
kinds: [„Namespace“]
parameters:
labels: [„gatekeeper“]

So Gatekeeper makes reuse of policy simple and the Host must be unique among all Ingresses.

Under https://github.com/open-policy-agent/gatekeeper-library we find all Gatekeeper library.

I liked that the topic was told explicitly with even live examples, and found the speaker awesome. In the comments you could tell people were happy to be at the conference.

Full talk and more from and about stackconf

Watch the the whole talk by Ara Pulido:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!