Let's get into it…
In a previous post, we covered the fundamental understanding of Open Policy Agent, and now we will follow up with real-life examples that you may find yourself implementing in your organization. If you want to view the examples used throughout this blog, you can view the relevant links at the end of the post.
Installing OPA
Let’s start by using a demo cluster. We are using K3D, but you can use any tool to bootstrap your cluster for demo purposes. Then, we can continue installing the OPA Gatekeeper using Helm.
You can verify the installation has been done successfully by viewing the Custom Resource Definitions and pods on the gatekeeper-system namespace if you follow the command above.
OPA primary functions
Now, we need to be familiar with the fact that OPA Gatekeeper is primarily used for the following functions:
Validating resources against defined policies (constraints) and rejecting requests that violate these policies.
Mutating resources by modifying them before they are created or updated to enforce/modify configuration which will ensure compliance with policies
Auditing resources that violate defined policies. The resources may have been created prior to the gatekeeper installation or had bypassed the admission controller.
OPA policy example
In the post, we will create a validation policy to check compliance with using an internal company registry. To implement it, we would need to use the CRD ConstraintTemplate.
ConstraintTemplate defines a reusable policy template that allows the same logic to be used with different parameters. The following ConstraintTemplate will check the container image registry, and if validation occurs, it will output an error message.
We can view the created constraint template with the kubectl get constrainttemplate command
To put it into action we will need to create a constraint out of the ConstraintTemplate k8sallowedrepos. The following constraint will check if pods on the default namespace will have an image set to openpolicyagent/
We can view the constraint which had been created with the kubectl get constraint
Trying to create a nginx pod (kubectl run nginx –image nginx) will result in an error by the OPA Gatekeeper. In case we want to remove the constraint from the cluster we can delete the resource, or in emergency case where the OPA creates issue to operate the cluster we can remove his mutation and validation webhooks with the following command:
To conclude,
Implementing OPA in your cluster involves multiple steps, from installing the gatekeeper to implementing CRD, and requires understanding rego unless you use the existing examples in https://open-policy-agent.github.io/gatekeeper-library. Today, Kyverno allows an easier way to implement policies for the cluster, and we will cover it in later posts.
Relevant links:
Gatekeeper library - https://open-policy-agent.github.io/gatekeeper-library
Gatekeeper - https://open-policy-agent.github.io/gatekeeper
Gatekeeper Helm Chart - https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper