Notes for how things are defined in the Gatekeeper project and the expected behavior to date.
There are two types of scenarios for enforcing policies:
- create scenario (green field): requests that were rejected by the api server as a result of the validation webhook and the logs for those events are currently only persisted in the k8s audit log.
- compliance scenario (brown field): audit results and dry run results to identify existing resources in the cluster that have violated a constraint
To give users the ability to
-
create constraints that only limit certain namespaces (applicable to create and compliance scenarios)
- match using namespace Example: prod-repo-is-openpolicyagent constraint
apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: K8sAllowedRepos metadata: name: prod-repo-is-openpolicyagent spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "production" parameters: repos: - "openpolicyagent"
- match using labelSelector
Example: prodworkload-repo-is-openpolicyagent constraint will match any pod that has the
prodworkload
label
apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: K8sAllowedRepos metadata: name: prodworkload-repo-is-openpolicyagent spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] labelSelector: matchExpressions: - key: prodworkload operator: Exists parameters: repos: - "openpolicyagent"
-
exclude validation webhook on certain namespaces (applicable to create scenarios only)
Example: validation.gatekeeper.sh ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: validation.gatekeeper.sh webhooks: - clientConfig: <omitted> service: name: gatekeeper-controller-manager-service namespace: gatekeeper-system path: /v1/admit failurePolicy: Ignore name: validation.gatekeeper.sh namespaceSelector: matchExpressions: - key: control-plane operator: DoesNotExist rules: - apiGroups: - '*' apiVersions: - '*' operations: - CREATE - UPDATE resources: - '*' sideEffects: Unknown
To allow adminstrators of namespaces to declare constraints on their namespace wihtout giving them the ability to constrain other namespaces.