Logo of Open Policy Agent.

My last KubeCon 2020 experience told me that I really needed to give both OPA and Gatekeeper a try. Since then I learned how to use OPA as a container linter. What I now need to do is to leverage OPA Gatekeeper on my Kubernetes cluster.

The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software.

OPA Gatekeeper is a new project that provides first-class integration between OPA and Kubernetes.

Instead of installing Gatekeeper itself on my Kubernetes cluster, I will rather leverage Policy Controller.

Anthos Config Management’s Policy Controller is a Kubernetes dynamic admission controller that checks, audits, and enforces your clusters’ compliance with policies related to security, regulations, or arbitrary business rules. Policy Controller is built from the Gatekeeper open source project.

Let’s see in actions how easy it is to setup Gatekeeper via Policy Controller.

Install Policy Controller

Policy Controller could be installed on any Kubernetes clusters (not just GKE) with the following kubectl commands:

gsutil cp gs://config-management-release/released/latest/config-management-operator.yaml ~/tmp/config-management-operator.yaml
kubectl apply -f ~/tmp/config-management-operator.yaml
cat > ~/tmp/config-management.yaml << EOF
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
  name: config-management
    enabled: true
kubectl apply -f ~/tmp/config-management.yaml

Notes: here are some considerations if you would like to install Policy Controller on a private cluster.

Let’s check if the installation was successful:

# Check if the gatekeeper components are installed
kubectl get pods -n gatekeeper-system

# Check the version of the Policy Controller
kubectl get deployments -n gatekeeper-system gatekeeper-controller-manager -o="jsonpath={.spec.template.spec.containers[0].image}"

# If your Kubernetes cluster is registered with Anthos, you could also check if Policy Controller is properly installed with ACM
gcloud alpha container hub config-management status

Create constraints

You could now list the default constraint templates installed:

kubectl get constrainttemplates

You could see this list here too.

Based on those templates, you could create your own constraints like described here.

Let’s see an example, by leveraging the K8sAllowedRepos template, with which we would like to allow only specific container registries for the images of the Pods running on our cluster:

kubectl describe K8sAllowedRepos
cat > allowed-repos.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
  name: allowed-repos
  enforcementAction: deny
      - apiGroups: [""]
        kinds: ["Pod"]
      - "gcr.io"
      - "k8s.gcr.io"
      - "gke.gcr.io"
kubectl apply -f allowed-repos.yaml

Another example could be to leverage the K8sExternalIPs template in order to mitigate CVE-2020-8554:

kubectl describe K8sExternalIPs
cat > no-external-ip-services.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
  name: no-external-ip-services
      - apiGroups: [""]
        kinds: ["Service"]
kubectl apply -f no-external-ip-services.yaml

Leveraging the default templates is great because we don’t have to write OPA regos for them. But, you may want to write your own template, here you are for the guidance to accomplish this.

And that’s it, that’s how easy it is to leverage OPA Gatekeeper via Policy Controller to have more governance in place and a better security posture on your Kubernetes clusters.

Further and complementary resources

That’s a wrap! Hope you enjoyed that one, sail safe out there, cheers! ;)