Enforce Kubernetes Policies with Gatekeeper OPA in ACK - ACK

The gatekeeper component integrates Open Policy Agent (OPA) into Container Service for Kubernetes (ACK) clusters, letting you define and enforce admission policies using Kubernetes-native Custom Resource Definitions (CRDs). Use gatekeeper to control what resources can be created in your cluster based on labels, resource types, namespaces, and other attributes. You can also use gatekeeper to manage labels of namespaces.

To start using gatekeeper, complete the following steps:

Install gatekeeper from the Add-ons page in the ACK console. See Manage components.
Create a constraint template that defines the policy logic in Rego.
Create a constraint that applies the template to specific namespaces or resource types.
Verify that the constraint allows or denies requests as expected.

For more information about OPA, see Open Policy Agent.

How it works

Gatekeeper works as a Kubernetes admission webhook. When a resource creation or update request reaches the API server, the validation.gatekeeper.sh webhook intercepts it and evaluates the request against all active constraints.

The policy model has two layers:

ConstraintTemplate: defines the policy logic in Rego and registers a new Custom Resource Definition (CRD) kind in the cluster.
Constraint: an instance of a ConstraintTemplate that specifies which resources the policy applies to and what parameters to enforce.

For more information about policy authoring, see How to use Gatekeeper.

Enforce pod label policies

The following example shows how to require that all pods created in a specific namespace carry a designated label. The constraint template initializes in about 10 seconds; the constraint itself also takes about 10 seconds to become active.

Prerequisites

Before you begin, ensure that you have:

An ACK cluster with gatekeeper installed
kubectl configured to connect to the cluster

Create a namespace and label it

Create a test namespace and attach the label that the constraint will match against:

kubectl create ns test-gatekeeper
kubectl label ns test-gatekeeper name=test-gatekeeper

Create a constraint template

The constraint template below registers a new CRD kind called K8sRequiredLabels and defines the policy logic in Rego:

kubectl apply -f - <<EOF
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels

        # A violation is triggered when required labels are missing from the resource.
        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          # Collect all labels on the incoming resource.
          provided := {label | input.review.object.metadata.labels[label]}
          # Collect all labels required by the constraint parameters.
          required := {label | label := input.parameters.labels[_]}
          # Compute the set of labels that are required but not provided.
          missing := required - provided
          count(missing) > 0
          msg := sprintf("you must provide labels: %v", [missing])
        }
EOF

Wait about 10 seconds for the constraint template to initialize before proceeding.

Create a constraint

Create a constraint that applies the K8sRequiredLabels template to all pods in any namespace labeled name=test-gatekeeper, requiring each pod to carry the gatekeeper-test-label label:

kubectl apply -f - <<EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: pod-must-have-gatekeeper-test-label
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaceSelector:
      matchExpressions:
      - key: name
        operator: In
        values: ["test-gatekeeper"]
  parameters:
    labels: ["gatekeeper-test-label"]
EOF

Wait about 10 seconds for the constraint to become active.

Verify the constraint

Run the following tests to confirm that the constraint behaves correctly.

Test 1: Pod without the required label is denied.

kubectl -n test-gatekeeper run test-deny --image=nginx --restart=Never

Expected output:

Error from server ([denied by pod-must-have-gatekeeper-test-label] you must provide labels: {"gatekeeper-test-label"}): admission webhook "validation.gatekeeper.sh" denied the request: [denied by pod-must-have-gatekeeper-test-label] you must provide labels: {"gatekeeper-test-label"}

The pod is rejected because the test-gatekeeper namespace matches the constraint selector and the pod lacks the gatekeeper-test-label label.

Test 2: Pod with the required label is allowed.

kubectl -n test-gatekeeper run test-pass -l gatekeeper-test-label=pass --image=nginx --restart=Never

Expected output:

pod/test-pass created

The pod is admitted because it carries the gatekeeper-test-label label.

Test 3: Pod in an unconstrained namespace is allowed.

kubectl -n default run test-deny --image=nginx --restart=Never

Expected output:

pod/test-deny created

The default namespace does not have the name=test-gatekeeper label, so the constraint does not apply.

Release notes

March 2025

Version	Image address	Release date	Description	Impact
v3.18.2.192-ge2860248-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.18.2.192-ge2860248-aliyun	2025-03-04	OPA Gatekeeper is updated to 3.18.2. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.18.2. The component's Go version is upgraded to 1.23.6 to improve stability.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

December 2024

Version	Image address	Release date	Description	Impact
v3.17.1.174-g6383c639-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.17.1.174-g6383c639-aliyun	2024-12-09	OPA Gatekeeper is updated to 3.17.1. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.17.1.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

September 2024

Version	Image address	Release date	Description	Impact
v3.16.3.158-g5e73c0ad-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.16.3.158-g5e73c0ad-aliyun	2024-09-25	OPA Gatekeeper is updated to 3.16.3. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.16.3.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

March 2024

Version	Image address	Release date	Description	Impact
v3.15.1.150-g29b8b2a8-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.15.1.150-g29b8b2a8-aliyun	2024-03-27	OPA Gatekeeper is updated to 3.15.1. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.15.1.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

October 2023

Version	Image address	Release date	Description	Impact
v3.12.0.138-g1ee37e37-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.12.0.138-g1ee37e37-aliyun	2023-10-09	OPA Gatekeeper is updated to 3.12.0. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.12.0. Policies can be configured to handle Service deletion events.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

April 2023

Version	Image address	Release date	Description	Impact
v3.10.0.130-g0e79597d-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.10.0.130-g0e79597d-aliyun	2023-04-18	OPA Gatekeeper is updated to 3.10.0. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.10.0. The data replication feature is disabled by default. Enable it on the Add-ons page of the ACK console. For more information, see Replicating Data. Policies can be configured to handle namespace deletion events. Kubernetes 1.26 is supported.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

June 2022

Version	Image address	Release date	Description	Impact
v3.8.1.113-geb7947ef-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.8.1.113-geb7947ef-aliyun	2022-06-08	OPA Gatekeeper is updated to 3.8.1. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.8.1. Auditing pods are disabled by default. Enable them on the Add-ons page of the ACK console. CPU resources, memory, and replica count can be configured on the Add-ons page of the ACK console.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

April 2022

Version	Image address	Release date	Description	Impact
v3.7.1.93-gaf375989-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.7.1.93-gaf375989-aliyun	2022-04-02	The Mutation feature can be enabled on the Add-ons page of the ACK console. It is disabled by default. For more information, see Mutation.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

February 2022

Version	Image address	Release date	Description	Impact
v3.7.0.84-gf5fd3ffd-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.7.0.84-gf5fd3ffd-aliyun	2022-02-15	Component performance is optimized. Abnormal CPU utilization in extreme cases is fixed.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

January 2022

Version	Image address	Release date	Description	Impact
v3.7.0.82-gafe4391b-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.7.0.82-gafe4391b-aliyun	2022-01-14	OPA Gatekeeper is updated to 3.7.0. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.7.0. ARM64 architecture is supported.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

September 2021

Version	Image address	Release date	Description	Impact
v3.6.0.62-g156146d-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.6.0.62-g156146d-aliyun	2021-09-20	gatekeeper 3.6.0.62 and later versions support only ACK clusters running Kubernetes 1.16.9 and later. OPA Gatekeeper is updated to 3.6.0. The gatekeeper component depends on OPA Gatekeeper. For more information, see v3.6.0.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

March 2021

Version	Image address	Release date	Description	Impact
v3.3.0.24-8e68abc-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.3.0.24-8e68abc-aliyun	2021-03-16	gatekeeper can be installed in registered clusters. OPA Gatekeeper is updated to 3.3.0. The gatekeeper component depends on OPA Gatekeeper.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.

August 2020

Version	Image address	Release date	Description	Impact
v3.1.0.11-24bab09-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/gatekeeper:v3.1.0.11-24bab09-aliyun	2020-08-20	OPA Gatekeeper is updated to 3.1.0-beta.12. OPA Gatekeeper is the open source project on which gatekeeper is based. The gatekeeper component depends on OPA Gatekeeper.	If exceptions occur during the component update, changes to cluster resources may fail. Perform the update during off-peak hours.