The gatekeeper component facilitates the management and enforcement of policies executed
by Open Policy Agent (OPA) in Kubernetes clusters. This topic describes the architecture
of gatekeeper and provides an example of how to use gatekeeper.
Background information
For more information about OPA, see Open Policy Agent.
Architecture
Examples
You can use gatekeeper to constrain pod deployments in specified namespaces based
on labels. In this example, a Constraint is defined to declare that all pods created
in a specified namespace must be labeled with gatekeeper-test-label.
- Run the following commands to create a test-gatekeeper namespace and attach the name=test-gatekeeper label to the namespace:
kubectl create ns test-gatekeeper
kubectl label ns test-gatekeeper name=test-gatekeeper
- Run the following command to create a Constraint template that can be used to define
Constraints on pod labels:
kubectl apply -f - <<EOF
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
EOF
It takes about 10 seconds to initialize the Constraint template.
- Run the following command to create a Constraint from the preceding Constraint template.
This Constraint declares that all pods created in a namespace that is attached with
the name=test-gatekeeper label must be labeled with gatekeeper-test-label.
kubectl apply -f - <<EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: pod-must-have-gatekeeper-test-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaceSelector:
matchExpressions:
- key: name
operator: In
values: ["test-gatekeeper"]
parameters:
labels: ["gatekeeper-test-label"]
EOF
It takes about 10 seconds to initialize the Constraint.
- Perform the following steps to verify the enforcement of the Constraint:
- Run the following command to create a pod that is not labeled with gatekeeper-test-label in the test-gatekeeper namespace. The namespace is not attached with name=test-gatekeeper. Therefore, the creation fails.
kubectl -n test-gatekeeper run test-deny --image=nginx --restart=Never
Error from server ([denied by pod-must-have-gatekeeper-test-label] you must provide labels: {"gatekeeper-test-label"}): admission webhook "validation.gatekeeper.sh" denied the request: [denied by pod-must-have-gatekeeper-test-label] you must provide labels: {"gatekeeper-test-label"}
- Run the following command to create a pod that is labeled with gatekeeper-test-label in the test-gatekeeper namespace. The namespace is attached with name=test-gatekeeper. Therefore, the creation succeeds.
kubectl -n test-gatekeeper run test-pass -l gatekeeper-test-label=pass --image=nginx --restart=Never
pod/test-pass created
- Run the following command to create a pod that is not labeled with gatekeeper-test-label in the default namespace. The namespace is not subject to the Constraint. Therefore,
the creation succeeds.
kubectl -n default run test-deny --image=nginx --restart=Never
pod/test-deny created