Select Page

stackconf online 2021 | Policy-as-code in Kubernetes with Gatekeeper

by | Sep 7, 2021 | stackconf

This entry is part 5 of 27 in the series stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Ara Pulido from Datadog talked about “Embracing change: Policy-as-code for Kubernetes with OPA and Gatekeeper”.

What is Kubernetes

Kubernetes is a Container orchestration platform to help you run your containerized applications in production. It provides Role-based Access Control (RBAC) which allows operators to define in a very granular manner which identity is allowed to create or manage which resource. But RBAC does not allow us to control the specification of those resources. So the use of the Open Policy Agent (OPA) Gatekeeper.

What is Open Policy Agent (OPA)

A Policy Rule that governs the behavior of a software service.

The Open Policy Agent (OPA) is an open source project, a policy engine for Cloud Native environments and also a policy engine that can be located with your service. It can be integrated as a sidecar, host-level daemon, or library. On the OPA Website we can find a list of OPA Integrations, use-cases and related projects.

What is Open Policy Agent Gatekeeper

The Open Policy Agent (OPA) Gatekeeper is an admission controller that validates requests to create and update Pods on Kubernetes clusters, using JSON over HTTPS.

Example

In this example, we want to make sure that all labels required by the policy are present in the Kubernetes resource manifest.

To do this, we have to build our Rego query with th help of Gatekeeper. This consists of a package containing a violation definition. The violation defined the input data, the condition to be matched, and a message which gets returned in case of a violation.

This is done by wrapping our query into a ContrainTemplate resource:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
listKind: K8sRequiredLabelsList
plural: k8srequiredlabels
singular: k8srequiredlabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels

violation[{“msg”: msg, “details”: {“missing_labels”: missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required – provided
count(missing) > 0
msg := sprintf(“you must provide labels: %v”, [missing])
}

We not yet defined which label we require our Kubernetes resources to have. We also did not yet define on which Kubernetes resources we like to have this policy applied too. To do this, we have to create another manifest called Constraints:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
– apiGroups: [“”]
kinds: [“Namespace”]
parameters:
labels: [“gatekeeper”]

So Gatekeeper makes reuse of policy simple and the Host must be unique among all Ingresses.

Under https://github.com/open-policy-agent/gatekeeper-library we find all Gatekeeper library.

I liked that the topic was told explicitly with even live examples, and found the speaker awesome. In the comments you could tell people were happy to be at the conference.

Full talk and more from and about stackconf

Watch the the whole talk by Ara Pulido:

YouTube player

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

More posts on the topic stackconf

stackconf 2023 | Cooking up o11y w/ Feature Flagging

Let's reflect together on the highlights of stackconf 2023. In this blog series, we present our featured speakers and their presentations, which provided us with first-class expert knowledge and inspiring ideas. Today we remember Alayshia Nighten with her presentation...

stackconf 2024 | Announcing our First Speakers

The Wait is Over! We’re super excited to finally announce our first confirmed speakers for stackconf 2024. It’s a diverse group of international experts who specialize in cloud-native infrastructure solutions. Have a look and see which topics interest you the most....

stackconf 2023 | It´s time to rebuild DevOps

Let's dive into the memories of stackconf 2023 together, which provided us with numerous insights and first-class expert knowledge. As part of this blog series, we would like to introduce you to the featured speakers and their presentations. Today - Paul Stack and his...

Trainings

Web Services

Events

Series



Other posts in series: