All Products
Search

This Product

    Container Compute Service:gatekeeper

    Document Center

    Container Compute Service:gatekeeper

    Last Updated:Jan 26, 2025

    The gatekeeper component facilitates the management and enforcement of policies executed by Open Policy Agent (OPA) in Kubernetes clusters. This allows you to manage the labels of namespaces. This topic describes the features, usage notes, and release notes for gatekeeper.

    Introduction

    OPA is an open source policy engine that is commonly used to implement policies in stacks in a standardized and context-aware manner. You can use the gatekeeper component to manage and implement OPA policies, and manage labels of namespaces in Container Service for Kubernetes (ACK) clusters. For more information about OPA, see Open Policy Agent. The following figure shows the architecture of gatekeeper.

    image

    For more information about how to install gatekeeper, see Manage components.

    Usage notes

    You can use gatekeeper to constrain pod deployments in specific namespaces based on labels. In this example, a constraint is defined to declare that all pods that are created in a specific namespace must be labeled with gatekeeper-test-label. For more information about how to use gatekeeper, see How to use Gatekeeper.

    1. Run the following commands in sequence to create a test-gatekeeper namespace and add the name=test-gatekeeper label to the namespace: 

      kubectl create ns test-gatekeeper
kubectl label ns test-gatekeeper name=test-gatekeeper

    2. Run the following command to create a constraint template that can be used to define constraints on pod labels: 

      kubectl apply -f - <<EOF
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("you must provide labels: %v", [missing])
        }
EOF

      It requires about 10 seconds to initialize the constraint template.

    3. Run the following command to create a Constraint from the preceding Constraint template.

      The constraint declares that all pods to be created in a namespace that has the name=test-gatekeeper label must be labeled with gatekeeper-test-label. 

      kubectl apply -f - <<EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: pod-must-have-gatekeeper-test-label
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaceSelector:
      matchExpressions:
      - key: name
        operator: In
        values: ["test-gatekeeper"]
  parameters:
    labels: ["gatekeeper-test-label"]

EOF

      It requires about 10 seconds to initialize the constraint.

    4. Check whether the namespace is constrained.

      • Run the following command to create a pod that is not labeled with gatekeeper-test-label in the test-gatekeeper namespace. The test-gatekeeper namespace has the name=test-gatekeeper label. 

        kubectl -n test-gatekeeper run test-deny --image=nginx --restart=Never

        The following output indicates that pods without the gatekeeper-test-label label cannot be created in the namespace. 

        Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [pod-must-have-gatekeeper-test-label] you must provide labels: {"gatekeeper-test-label"}

      • Run the following command to create a pod that is labeled with gatekeeper-test-label in the test-gatekeeper namespace. The test-gatekeeper namespace has the name=test-gatekeeper label. 

        kubectl -n test-gatekeeper run test-pass-1 -l gatekeeper-test-label=pass --image=nginx --restart=Never

        The following output indicates that pods with the gatekeeper-test-label label can be created in the namespace. 

        pod/test-pass-1 created

      • Run the following command to create a pod that is not labeled with name=test-gatekeeper in a namespace that is not subject to the constraint: 

        kubectl -n default run test-pass-2 --image=nginx --restart=Never

        The output indicates that pods without the gatekeeper-test-label label can be created in other namespaces. 

        pod/test-pass-2 created

      The preceding steps show that gatekeeper can be used to constrain pod creations in a specific namespace. In this example, the pod to be created in the namespace must have the gatekeeper-test-label label.

    Release notes

    March 2024

    Version number

    Image address

    Release date

    Description

    Impact

    v3.15.1.150-g29b8b2a8-aliyun

    registry-cn-hangzhou.ack.aliyuncs.com/acs/gatekeeper:v3.15.1.150-g29b8b2a8-aliyun

    2024-03-27

    This version is in canary release.

    OPA Gatekeeper is updated to 3.15.1. The gatekeeper component depends on OPA Gatekeeper. For more information about the OPA Gatekeeper 3.15.1, see v3.15.1.

    If exceptions occur during the component update, changes to cluster resources may fail. We recommend that you perform the update during off-peak hours.