As more enterprises migrate to cloud native environments like Kubernetes the need for more scalable ways to define and enforce fine-grained policies increases: how can I limit the number of replicas of a pod for certain users? how can I ensure that all images come from trusted registries? Gatekeeper, a CNCF project, allows to define policy as Kubernetes objects, making it easier to adopt policy-as-code practices in Kubernetes environments and sharing reusable policy templates. In this talk we will demo Gatekeeper for Kubernetes environments. You will learn how to adopt policy-as-code techniques and how you can integrate Gatekeeper with your existing tools.
27. Gatekeeper makes reuse of policy simple
Images can only come from approved registries
Deployments require to have certain mandatory labels
28. Gatekeeper makes reuse of policy simple
Images can only come from approved registries
Deployments require to have certain mandatory labels
Container images must have a digest
29. Gatekeeper makes reuse of policy simple
Images can only come from approved registries
Deployments require to have certain mandatory labels
Container images must have a digest
Containers must have memory and CPU limits set and
within a specified max value
35. Out-of-the-box metrics
ConstraintTemplates, Constraints (gauge)
35
Webhook: #requests (count) and latency (histogram)
Audit: #violations (count) and time last run (gauge)
Sync: # resources cached (count) and time last run (gauge)