public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-15 09:33:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

OPA Gatekeeper docs

Browse Source
This commit is contained in:
Prachi Damle
2020-03-27 00:32:23 -07:00
committed by Catherine Luse
parent b904035ec4
commit 7cd87eac0e
2 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.x/en/cluster-admin/tools/_index.md
+5
View File
@@ -13,6 +13,7 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist
- [Logging](#logging)
- [Monitoring](#monitoring)
- [Istio](#istio)
- [OPA Gatekeeper](#opa)
<!-- /TOC -->
@@ -47,3 +48,7 @@ Using Rancher, you can monitor the state and processes of your cluster nodes, Ku
## Istio
[Istio](https://istio.io/) is an open-source tool that makes it easier for DevOps teams to observe, control, troubleshoot, and secure the traffic within a complex network of microservices. For details on how to enable Istio in Rancher, refer to the [Istio section.]({{<baseurl>}}/rancher/v2.x/en/cluster-admin/tools/istio)
## OPA Gatekeeper
[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.]({{<baseurl>}}/rancher/v2.x/en/cluster-admin/tools/opa-gatekeeper)
content/rancher/v2.x/en/cluster-admin/tools/opa-gatekeper/_index.md
+79
View File
@@ -0,0 +1,79 @@
---
title: OPA Gatekeeper
weight: 1
---
_Available as of v2.4.0_
Rancher v2.4 release provides the ability to enable OPA Gatekeeper in Kubernetes clusters and also installs a couple of builtin policy definitions aka constraint templates.
OPA Gatekeeper is made availale via Rancher's helm system chart and installs in a namespace "gatekeeper-system".
This is an experimental feature for v2.4 release.
To ensure consistency and compliance, every organization needs ability to define and enforce policies in its environment in an automated way.
OPA [https://www.openpolicyagent.org/] is a policy engine that facilitates policy based control for Cloud native environments.
OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making.
To read more about OPA, please refer https://www.openpolicyagent.org/docs/latest/
OPA Gatekeeper[https://github.com/open-policy-agent/gatekeeper] is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides:
- An extensible, parameterized policy library.
- Native Kubernetes CRDs for instantiating the policy library (aka “constraints”).
- Native Kubernetes CRDs for extending the policy library (aka “constraint templates”).
- Audit functionality.
Kubernetes provides ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resourse is created, updated or deleted.
Gatekeeper is installed as a validating webhook and enforces policies defined via Kubernetes CRDs.
In addition to the admission control usage, Gatekeeper also contains ability to audit existing resources in the Kubernetes clusters and mark current violations of enabled policies.
## Enabling Gatekeeper in your cluster
1. Only Global Admins or Cluster owners can enable Gatekeeper
1. Navigate to the cluster's Dashboard view
1. On the left side menu, Expand the Cluster menu and click on OPA Gatekeeper
1. To install Gatekeeper with default config click on "Enable Gatekeeper (v0.1.0) with defaults".
1. To change any default configuration click on "Customize Gatekeeper yaml configuration"
## Constraint templates
[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes CRs that define the schema and rego logic of the OPA policy to be applied by Gatekeeper.
1. Enable OPA Gatekeeper in your cluster via the Dashboard view
1. After enabling OPA Gatekeeper, on the left side menu under OPA Gatekeeper click on "Templates" to list the constraint templates installed in the cluster.
1. Rancher installs a couple of templates by default.
1. Rancher also provides ability to create your own constraint templates by importing yaml definition.
## Constraints
[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes CRs that define the scope of objects to which a specific constraint template applies to.
Constraint templates and Constraints together define the complete policy.
1. Enable OPA Gatekeeper in your cluster via the Dashboard view
1. After enabling OPA Gatekeeper, on the left side menu under OPA Gatekeeper click on "Constraints" to list the constraints installed.
1. Users can create new constraints from a constraint template.
1. Rancher provides the ability to create a constraint via a convenient form that lets you input the various constraint fields.
1. Also Edit as yaml option is availble to input the constraint's yaml definition.
## Enforcing constraints in your cluster
1. Create constraint using the form
1. Choose "Deny" for "Enforcement Action" field on the create constraint form
1. When the "Enforcement Action" is "Deny", the constraint is immediately enabled and will deny any requests that violates the policy defined.
1. By default, the value is "Deny"
1. When the "Enforcement Action" is "Dryrun" then any resources that violates the policy are only recorded under the constraint's status field.
## Audit and violations in your cluster
1. Enable OPA Gatekeeper in your cluster via the Dashboard view.
1. Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint.
1. The audit-interval (default 300s) can be configured while installing Gatekeeper.
1. On the Gatekeeper page, any violations of the defined constraints will be listed.
1. Also under "Constraints", number of violations of the constraint will be found.
1. Detail view of each constraint will list the information of the resource that violated the constraint
## Disabling Gatekeeper
1. Navigate to the cluster's Dashboard view
1. On the left side menu, Expand the Cluster menu and click on OPA Gatekeeper
1. Click the **Vertical Ellipsis (...) > Disable**.
1. Upon disabling, all constraint templates and constraints will also be deleted.
## Exempting Rancher's System Namespaces from Constraints
1. When a Constraint is created, you need to ensure that it does not apply to any Rancher or Kubernetes system namespaces.
1. To limit the scope of the constraint only to user namespaces, always specify these Namespaces under "Match" field of the Constraint
1. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint.
1. Also the constraint may interfere with any other Rancher functionality and deny any system workloads to get deployed.
1. To avoid this, please ensure to exclude all Rancher specific namespaces from your constraints.