Open Policy Agent Gatekeeper

  • Canonical Kubernetes
Channel Revision Published Runs on
latest/stable 21 04 Sep 2024
Ubuntu 22.04 Ubuntu 20.04
latest/candidate 19 15 Apr 2024
Ubuntu 22.04 Ubuntu 20.04
latest/beta 21 14 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 20 03 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
1.31/stable 21 04 Sep 2024
Ubuntu 22.04 Ubuntu 20.04
1.31/beta 21 13 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
1.31/edge 20 03 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
1.30/stable 17 11 Jul 2024
Ubuntu 22.04 Ubuntu 20.04
1.30/beta 17 19 Apr 2024
Ubuntu 22.04 Ubuntu 20.04
1.30/edge 17 13 Mar 2024
Ubuntu 22.04 Ubuntu 20.04
1.29/stable 19 17 Apr 2024
Ubuntu 22.04 Ubuntu 20.04
1.29/candidate 19 15 Apr 2024
Ubuntu 22.04 Ubuntu 20.04
1.29/beta 17 17 Apr 2024
Ubuntu 22.04 Ubuntu 20.04
1.29/edge 17 21 Aug 2023
Ubuntu 22.04 Ubuntu 20.04
1.28/stable 16 22 Aug 2023
Ubuntu 22.04 Ubuntu 20.04
1.28/candidate 14 07 Jun 2023
Ubuntu 22.04 Ubuntu 20.04
1.28/beta 16 07 Aug 2023
Ubuntu 22.04 Ubuntu 20.04
1.28/edge 17 09 Aug 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/stable 14 12 Jun 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/candidate 14 12 Jun 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/beta 12 17 Apr 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/edge 11 17 Apr 2023
Ubuntu 22.04 Ubuntu 20.04
1.26/stable 7 27 Feb 2023
Ubuntu 22.04 Ubuntu 20.04
1.26/candidate 7 27 Feb 2023
Ubuntu 22.04 Ubuntu 20.04
1.26/beta 9 08 Apr 2023
Ubuntu 22.04 Ubuntu 20.04
juju deploy gatekeeper-controller-manager
Show information

Platform:

OPA gatekeeper is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement.

Gatekeeper is a validating webhook that enforces CRD-based policies executed by Open Policy Agent. Policies are defined in a language called rego. Incoming requests that try to create or alter a resource that violates any of these policies will be rejected.

In addition to admission, Gatekeeper offers audit functionality, which allows administrators to see which resources are currently violating any given policy.

Deployment

The gatekeeper webhook and audit services exist in separate charms, you should deploy both of them. To deploy the operators you will first need a Kubernetes model in Juju. Add your Kubernetes as a cloud to your Juju controller:

juju add-k8s k8s-cloud --controller $(juju switch | cut -d: -f1)

Next, create a new Kubernetes model:

juju add-model gatekeeper-system k8s-cloud

Then you can deploy the Gatekeeper charms:

juju deploy ch:gatekeeper-controller-manager
juju deploy ch:gatekeeper-audit

Note: Using RBAC

If using RBAC, you must deploy the charms using the --trust flag as the charm needs permissions in order to create the necessary resources:

juju deploy --trust ch:gatekeeper-controller-manager
juju deploy --trust ch:gatekeeper-audit

Policies

Policies are defined as ConstraintTemplate CRDs in a language called rego. Constraints are then used to inform Gatekeeper that the admin wants a ConstraintTemplate to be enforced, and how.

To get a list of the constraints run:

kubectl get constraints

Or with the juju command:

juju run-action {unit_name} -m {model_name} --wait list-violations

And then to get the violations for a specific constraint run:

juju run-action {unit_name} -m {model_name} --wait get-violation constraint-template={constraint_template} constraint={constraint}

Configuration

Not much needs to be configured when running OPA gatekeeper. All configurations available are related to optimizing the auditting:

audit-chunk-size:
  default: 500
  description: |
    Lower chunk size can reduce memory consumption of the auditing Pod but
    can increase the number requests to the Kubernetes API server.
audit-interval:
  default: 60
  description: Interval between the audits, to disable the interval set `audit-interval=0`
constraint-violations-limit:
  default: 20
  description: |
    The number of violations that will be reported, If the number of current violations
    is greater than this cap, the excess violations will not be reported but they
    will be included in the totalViolations count

Metrics

Both charms provide out of the box integration with the prometheus-k8s and the grafana-agent-k8s charms.

If you have those two charms deployed, you can integrate them with gatekeeper simply by running:

juju relate grafana-agent-k8s gatekeeper-controller-manager
juju relate grafana-agent-k8s:send-remote-write prometheus-k8s:receive-remote-write

This will provide you with metrics like how many requests were denied, how many were processed, how many violations exist in the cluster, etc.

Reconciliation

The gatekeeper charms manage the same Kubernetes resources(roles, crds, etc.). If for some reason you wish to delete one of the two charms while keeping the other you should be very careful, as it will cause all of the resources to be deleted.

In that scenario you will need to reconcile (recreate) the resources by running:

juju run-action {unit_name} -m {model_name} reconcile-resources --wait

This will cause all the policies to be deleted as well, which means you will have to reapply them.

Test the Gatekeeper charm

To test the gatekeeper charms you can try applying the test policy available on the charms’ repo:

kubectl apply -f https://raw.githubusercontent.com/charmed-kubernetes/opa-gatekeeper-operators/main/docs/policy-example.yaml
kubectl apply -f https://raw.githubusercontent.com/charmed-kubernetes/opa-gatekeeper-operators/main/docs/policy-spec-example.yaml

This policy will require all namespaces to have the label gatekeeper=True, creating a new ns without that should fail:

kubectl create ns test

…should return…

Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ns-must-have-gk] you must provide labels: {"gatekeeper"}

After a while you should also be able to see violations of the policy from the existing resources. For example:

kubectl get constraints

… will return something similar to:

NAME              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
ns-must-have-gk                                6