As more enterprises migrate to cloud native environments like Kubernetes the need for more scalable ways to define and enforce fine-grained policies increases: how can I limit the number of replicas of a pod for certain users? how can I ensure that all images come from trusted registries? Gatekeeper, a CNCF project, allows to define policy as Kubernetes objects, making it easier to adopt policy-as-code practices in Kubernetes environments and sharing reusable policy templates. In this talk we will demo Gatekeeper for Kubernetes environments. You will learn how to adopt policy-as-code techniques and how you can integrate Gatekeeper with your existing tools.

1. Embracing change:
Policy-as-code in Kubernetes with OPA and Gatekeeper
Ara Pulido - Technical Evangelist
@arapulido

2. Kubernetes is a container
orchestration platform to
help you run your
containerized applications
in production

3. Datadog is a monitoring
and analytics platform that
helps companies improve
observability of their
infrastructure and
applications

4. Policy?

5. Rules that governs the behavior of a
software service
Policy

6. Role Based Access Control
RBAC

7. RBAC
Subject
Kubernetes API
resources
Verb

8. RBAC
Subject
Kubernetes API
resources
Verb
user:ara
apiVersion:v1/core
kind:Pod
create
get
watch

9. Policy
Authz

10. Can I run an image coming from a 3rd
party registry?
Has my pod all the labels that are
required by my organization?

14. Domain agnostic
Policy
(rego)
Data
(json)
Policy query
(json)
Policy decision
(json)

16. Gatekeeper

17. Authentication
API request

18. Authentication Authorization
API request

19. Authentication Authorization
Admission
Controllers
API request
Validate
Mutate

20. Admission
Controllers
ValidatingAdmissionWebhook
MutatingAdmissionWebhook
Gatekeeper

21. Gatekeeper is Kubernetes native
CRDs
Gatekeeper
controller

22. Main CRDs
ConstraintTemplate
Constraint
Constraint
Constraint
Constraint
Constraint
Constraint
Constraint

23. ConstraintTemplate
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details":
{"missing_labels": missing}}] {
provided := {label |
input.review.object.metadata.labels[label]}
required := {label | label :=
input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide
labels: %v", [missing])
}

24. Constraints
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["gatekeeper"]
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: pod-required-labels
spec:
match:
namespace: "default"
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels: ["do-not-delete"]

25. Gatekeeper makes reuse of policy simple

26. Gatekeeper makes reuse of policy simple
Images can only come from approved registries

27. Gatekeeper makes reuse of policy simple
Images can only come from approved registries
Deployments require to have certain mandatory labels

28. Gatekeeper makes reuse of policy simple
Images can only come from approved registries
Deployments require to have certain mandatory labels
Container images must have a digest

29. Gatekeeper makes reuse of policy simple
Images can only come from approved registries
Deployments require to have certain mandatory labels
Container images must have a digest
Containers must have memory and CPU limits set and
within a specified max value

30. Gatekeeper Library

31. https-only

32. https-only

33. https://github.com/open-policy-agent/gatekeeper-library

34. Observability

35. Out-of-the-box metrics
ConstraintTemplates, Constraints (gauge)
35
Webhook: #requests (count) and latency (histogram)
Audit: #violations (count) and time last run (gauge)
Sync: # resources cached (count) and time last run (gauge)

36. Datadog integration
36

37. Demo

38. Host must be unique among all Ingresses

39. Host must be unique among all Ingresses
Policy
Data

40. Host must be unique among all Ingresses
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
name: config
namespace: "gatekeeper-system"
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "Ingress"
- group: "networking.k8s.io"
version: "v1beta1"
kind: "Ingress"
Policy
Data

41. Demo

42. Thanks!
@arapulido