OPA Gatekeeper

License: Apache 2.0

We use Gatekeeper to enforce sane security standards in the cluster. In addition, we leverage the mutation ability of Gatekeeper to make configuration simpler for our tenants by applying settings they need but don't directly interface with.

Usage

Our primary usage of Gatekeeper focus on the use of Constraints and Mutations. Constraints work by limiting what is possible on the server. Mutations focus on altering objects on the fly for security and convenience.

OPA Gatekeeper uses the Rego language for policies. Most policies make reference to the object being created by referencing it in the input object. Most attributes are available for the input objects, however you may find yourself needing to reference objects that already exist in the cluster as part of your logic, those objects exist in the data.inventory.cluster object.

Data Synchronization

If you need to reference an object in the cluster, the current setting are optimized to selectively sync only certain objects. You will need to edit the gatekeeper config to syncronize additional objects.

Links

• Code: https://github.com/open-policy-agent/gatekeeper

• Releases: https://github.com/open-policy-agent/gatekeeper/releases

• Documentation:

  • General Documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/
  • Gatekeeper Library: https://open-policy-agent.github.io/gatekeeper-library

Gatekeeper Documentation Versioning

Make sure to select the version of the documentation you need in the top right.

• Helm:

  • Releases: https://open-policy-agent.github.io/gatekeeper/charts gatekeeper
  • Helm Documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/install#deploying-via-helm/

• Implementation:

  • eks-cluster: Install Gatekeeper

  https://code.vt.edu/it-common-platform/infrastructure/eks-cluster/-/blob/main/cluster-bootstrap/gatekeeper.tf

  • gatekeeper-policies: A helm chart to install cluster-wide security policies

  https://code.vt.edu/it-common-platform/platform-support/helm-charts/gatekeeper-policies/

  • landlord: A helm chart to setup objects for tenant namespaces, containing many gatekeeper policies

  https://code.vt.edu/it-common-platform/platform-support/helm-charts/landlord

Update Concerns

Critical Concerns

• Any Interruption of the Gatekeeper (Validating Webhook) can potentially let code that was previously prevented from deploying to the cluster to succeed,which has significant security concerns

General Concerns

• If Gatekeeper (Mutating Webhook) isn't running and Flux attempts to provision something without a declared storage class, it will fail due to lack of default storage class.