{"id":5536,"date":"2020-05-18T08:00:30","date_gmt":"2020-05-18T02:30:30","guid":{"rendered":"https:\/\/www.upnxtblog.com\/?p=5536"},"modified":"2020-05-11T11:45:11","modified_gmt":"2020-05-11T06:15:11","slug":"how-to-author-and-enforce-policies-using-open-policy-agent-gatekeeper","status":"publish","type":"post","link":"https:\/\/www.upnxtblog.com\/index.php\/2020\/05\/18\/how-to-author-and-enforce-policies-using-open-policy-agent-gatekeeper\/","title":{"rendered":"How to author and enforce policies using Open Policy Agent Gatekeeper"},"content":{"rendered":"<div class='booster-block booster-read-block'><\/div><p>As of this writing, there is NO single security configuration for Kubernetes. For example, to define what a specific user can do, the groups they belong to, the actions they can perform on various Kubernetes resources (pods, deployments, services, etc), the network and pod security policies that apply to the objects they create, etc. cannot be expressed as rules across different policy components.<\/p>\n<p>Due to the lack of a single-point security solution, ensuring compliance manually can be error-prone and frustrating. There is a need for a lightweight general-purpose policy engine that and allows developers to operate independently without sacrificing compliance and also ensures ease of policy enforcement, automated discovery of violations, conflicts. Policy Authors would be also able to author and deploy custom policies that control the behavior of the service\u2019s policy-enabled features.<\/p>\n<p>In this post, I\u2019ll explain how to use the <strong><a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\" target=\"_blank\" rel=\"noopener\">Open Policy Agent Gatekeeper<\/a><\/strong> policy engine to manage, author the policies, it allows you to manage and secure the Kubernetes cluster.<\/p>\n<p><span style=\"font-family: inherit; font-style: inherit; font-weight: inherit;\"><\/span><\/p>\n<h2>Introducing Open Policy Agent Gatekeeper<\/h2>\n<p><strong>Open Policy Agent Gatekeeper<\/strong> enforces policies and strengthens governance on the Kubernetes cluster. Following are the key functionalities it provides:<\/p>\n<ul>\n<li>Extensible, parameterized policy library.<\/li>\n<li>High-level declarative language (Rego) to author fine-grained policies in the system.<\/li>\n<li>Native Kubernetes CRDs for instantiating the policy library \u2013 Allows the definition of &#8220;constraints&#8221; wherein you want a system to meet a given set of requirements.<\/li>\n<li>Native Kubernetes CRDs for extending the policy library \u2013 Allows definition of &#8220;constraint templates&#8221; that allows users to declare new Constraints.<\/li>\n<li>Audit functionality &#8211; Allows periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect any mismatches.<\/li>\n<li>Test framework that you can use to write tests for policies. By writing tests for policies, the development process of new rules is accelerated and time saved.<\/li>\n<\/ul>\n<figure id=\"attachment_4548\" aria-describedby=\"caption-attachment-4548\" style=\"width: 943px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4548\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube1-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube1.png?fit=943%2C478&amp;ssl=1\" data-orig-size=\"943,478\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube1\" data-image-description=\"&lt;p&gt;Open Policy Agent Gatekeeper Components \/ Source \u2013 Open Policy Agent Gatekeeper Documentation&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image \u2013 Open Policy Agent Gatekeeper Components \/ Source \u2013 Open Policy Agent Gatekeeper Documentation&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube1.png?fit=943%2C478&amp;ssl=1\" class=\"size-full wp-image-4548 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube1.png?resize=943%2C478&#038;ssl=1\" alt=\"Open Policy Agent Gatekeeper Components \" width=\"943\" height=\"478\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube1.png?w=943&amp;ssl=1 943w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube1.png?resize=300%2C152&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube1.png?resize=768%2C389&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube1.png?resize=600%2C304&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 943px) 100vw, 943px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 943px; --smush-placeholder-aspect-ratio: 943\/478;\" \/><figcaption id=\"caption-attachment-4548\" class=\"wp-caption-text\">Image \u2013 Open Policy Agent Gatekeeper Components \/ Source \u2013 Open Policy Agent Gatekeeper Documentation<\/figcaption><\/figure>\n<p>Kubernetes <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/extensible-admission-controllers\/\" target=\"_blank\" rel=\"noopener\">provides<\/a> <em>Admission controller webhooks (HTTP Callbacks) <\/em>to intercept admission requests before they are persisted as objects in Kubernetes, OPA Gatekeeper uses the same for making policy decisions from the API Server. Once all object modifications are complete, and incoming object is validated by the API server, validating admission webhooks are invoked and they can either reject or accept requests to enforce policies.<\/p>\n<p>Gatekeeper enforces CRD-based policies executed by Open Policy Agent and thus enables users to have customized admission control via configuration.<\/p>\n<h2>Key Concepts<\/h2>\n<ul>\n<li><strong>Validation of Controls<\/strong> &#8211; Once all the Gatekeeper is installed in the cluster, the API server will then trigger the Gatekeeper admission webhook to process the admission request whenever a resource in the cluster is created, updated, or deleted. During the validation process, Gatekeeper acts as a bridge between the API server and OPA. API Server will enforce all policies executed by OPA.<\/li>\n<li><strong>Policies \/ Constraints<\/strong> &#8211; Constraint is a declaration that wants a system to meet a given set of requirements. Each Constraint is written with Rego, a declarative query language to enumerate instances of data that violate the expected state of the system. All Constraints are evaluated as a logical AND. If one Constraint is not satisfied, then the whole request is rejected.<\/li>\n<li><strong>Audit Functionality<\/strong> &#8211; Enables periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect pre-existing misconfigurations.<\/li>\n<li><strong>Data replication<\/strong> is required by Constraints that need access to objects in the cluster other than the object under evaluation. For example, a Constraint that enforces the uniqueness of ingress hostname must have access to all other ingresses in the cluster.<\/li>\n<\/ul>\n<h1>#1.Implementing Simple Constraint \/ ConstraintTemplate with OPA Gatekeeper<\/h1>\n<p>In this example, we would be defining a new constraint template and constraint that requires all labels to be present and valid. Here, I\u2019m going to use the <a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\/tree\/master\/demo\" target=\"_blank\" rel=\"noopener\">samples<\/a> that come up with the OPA Gatekeeper installation.<\/p>\n<h3>Installation<\/h3>\n<p>To deploy a released version of Gatekeeper on the cluster with a prebuilt image, run the following command.<\/p>\n<p><code>kubectl apply -f https:\/\/raw.githubusercontent.com\/open-policy-agent\/gatekeeper\/master\/deploy\/gatekeeper.yaml<\/code><\/p>\n<figure id=\"attachment_4549\" aria-describedby=\"caption-attachment-4549\" style=\"width: 883px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4549\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube2-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube2.png?fit=883%2C116&amp;ssl=1\" data-orig-size=\"883,116\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube2\" data-image-description=\"&lt;p&gt;Kubernetes Cluster is ready&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; Kubernetes Cluster is ready&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube2.png?fit=883%2C116&amp;ssl=1\" class=\"size-full wp-image-4549 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube2.png?resize=883%2C116&#038;ssl=1\" alt=\"Kubernetes Cluster is ready\" width=\"883\" height=\"116\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube2.png?w=883&amp;ssl=1 883w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube2.png?resize=300%2C39&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube2.png?resize=768%2C101&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube2.png?resize=600%2C79&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 883px) 100vw, 883px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 883px; --smush-placeholder-aspect-ratio: 883\/116;\" \/><figcaption id=\"caption-attachment-4549\" class=\"wp-caption-text\">Image &#8211; Kubernetes Cluster is ready<\/figcaption><\/figure>\n<p>We have our Kubernetes cluster ready, let&#8217;s install Gatekeeper with a prebuilt image.<\/p>\n<figure id=\"attachment_4550\" aria-describedby=\"caption-attachment-4550\" style=\"width: 889px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4550\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube3-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube3.png?fit=889%2C219&amp;ssl=1\" data-orig-size=\"889,219\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube3\" data-image-description=\"&lt;p&gt;Open Policy Agent Gatekeeper Installation completed&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; Open Policy Agent Gatekeeper Installation completed&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube3.png?fit=889%2C219&amp;ssl=1\" class=\"size-full wp-image-4550 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube3.png?resize=889%2C219&#038;ssl=1\" alt=\"Open Policy Agent Gatekeeper Installation completed\" width=\"889\" height=\"219\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube3.png?w=889&amp;ssl=1 889w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube3.png?resize=300%2C74&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube3.png?resize=768%2C189&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube3.png?resize=600%2C148&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 889px) 100vw, 889px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 889px; --smush-placeholder-aspect-ratio: 889\/219;\" \/><figcaption id=\"caption-attachment-4550\" class=\"wp-caption-text\">Image &#8211; Open Policy Agent Gatekeeper Installation completed<\/figcaption><\/figure>\n<p>Gatekeeper Role, CRDs are now installed. The next step is to create a new constraint template to enforce labels on the namespace to be present and valid.<\/p>\n<h3>Define constraint template(s)<\/h3>\n<p><strong>ConstraintTemplate<\/strong> defines what needs to be enforced and the schema of the constraint. Here if you notice the openAPIV3Schema and targets the constraint field allows users to fine-tune the behavior of a constraint.<\/p>\n<p><code>apiVersion: templates.gatekeeper.sh\/v1beta1<\/code><br \/>\n<code>kind: ConstraintTemplate<\/code><br \/>\n<code>metadata:<\/code><br \/>\n<code>name: k8srequiredlabels<\/code><br \/>\n<code>spec:<\/code><br \/>\n<code>crd:<\/code><br \/>\n<code>spec:<\/code><br \/>\n<code>names:<\/code><br \/>\n<code>kind: K8sRequiredLabels<\/code><br \/>\n<code>listKind: K8sRequiredLabelsList<\/code><br \/>\n<code>plural: k8srequiredlabels<\/code><br \/>\n<code>singular: k8srequiredlabels<\/code><br \/>\n<code>validation:<\/code><br \/>\n<code># Schema for the `parameters` field<\/code><br \/>\n<code>openAPIV3Schema:<\/code><br \/>\n<code>properties:<\/code><br \/>\n<code>labels:<\/code><br \/>\n<code>type: array<\/code><br \/>\n<code>items: string<\/code><br \/>\n<code>targets:<\/code><br \/>\n<code>- target: admission.k8s.gatekeeper.sh<\/code><br \/>\n<code>rego: |<\/code><br \/>\n<code>package k8srequiredlabels<\/code><\/p>\n<p><code>violation[{\"msg\": msg, \"details\": {\"missing_labels\": missing}}] {<\/code><br \/>\n<code>provided := {label | input.review.object.metadata.labels[label]}<\/code><br \/>\n<code>required := {label | label := input.parameters.labels[_]}<\/code><br \/>\n<code>missing := required - provided<\/code><br \/>\n<code>count(missing) &gt; 0<\/code><br \/>\n<code>msg := sprintf(\"you must provide labels: %v\", [missing])<\/code><br \/>\n<code>}<\/code><\/p>\n<p>Install <code>ConstraintTemplate<\/code> with the following command<\/p>\n<p style=\"background: #F6F8FA;\"><code><span style=\"font-family: Consolas; color: #24292e;\">kubectl apply -f https:\/\/raw.githubusercontent.com\/open-policy-agent\/gatekeeper\/master\/demo\/basic\/templates\/k8srequiredlabels_template.yaml<\/span><\/code><\/p>\n<figure id=\"attachment_4551\" aria-describedby=\"caption-attachment-4551\" style=\"width: 888px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4551\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube4-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube4.png?fit=888%2C104&amp;ssl=1\" data-orig-size=\"888,104\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube4\" data-image-description=\"&lt;p&gt;OPA Gatekeeper ConstraintTemplate created&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; OPA Gatekeeper ConstraintTemplate created&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube4.png?fit=888%2C104&amp;ssl=1\" class=\"size-full wp-image-4551 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube4.png?resize=888%2C104&#038;ssl=1\" alt=\"OPA Gatekeeper ConstraintTemplate created\" width=\"888\" height=\"104\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube4.png?w=888&amp;ssl=1 888w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube4.png?resize=300%2C35&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube4.png?resize=768%2C90&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube4.png?resize=600%2C70&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 888px) 100vw, 888px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 888px; --smush-placeholder-aspect-ratio: 888\/104;\" \/><figcaption id=\"caption-attachment-4551\" class=\"wp-caption-text\">Image &#8211; OPA Gatekeeper ConstraintTemplate created<\/figcaption><\/figure>\n<p><code><em>ConstratintTemplate<\/em> <\/code>is created, the next step is to define constraint and apply it to Namespace.<\/p>\n<h3>Define constraints<\/h3>\n<p>Following constraint uses the <code>K8sRequiredLabels<\/code> constraint template defined in the previous step. The next step is to use constraints to make sure the gatekeeper label is defined on all namespaces.<\/p>\n<p><code>apiVersion: constraints.gatekeeper.sh\/v1beta1<\/code><br \/>\n<code>kind: K8sRequiredLabels<\/code><br \/>\n<code>metadata:<\/code><br \/>\n<code>name: ns-must-have-gk<\/code><br \/>\n<code>spec:<\/code><br \/>\n<code>match:<\/code><br \/>\n<code>kinds:<\/code><br \/>\n<code>- apiGroups: [\"\"]<\/code><br \/>\n<code>kinds: [\"Namespace\"]<\/code><br \/>\n<code>parameters:<\/code><br \/>\n<code>labels: [\"gatekeeper\"]<\/code><\/p>\n<p><code>match<\/code> field, which defines the scope of objects to which a given constraint will be applied.<\/p>\n<ul>\n<li><code>kinds<\/code> accept a list of objects with apiGroups and kinds of fields that list the groups\/kinds of objects to which the constraint will apply.<\/li>\n<li><code>namespaces<\/code> is a list of namespace names. If defined, a constraint will only apply to resources in a listed namespace.<\/li>\n<\/ul>\n<ul>\n<li><code>labelSelector, namespaceSelector<\/code>\u00a0is a standard Kubernetes label and namespace selector.<\/li>\n<\/ul>\n<p>Install above Constraint with the following command<\/p>\n<p><code>kubectl apply -f https:\/\/raw.githubusercontent.com\/open-policy-agent\/gatekeeper\/master\/demo\/basic\/constraints\/all_ns_must_have_gatekeeper.yaml<\/code><\/p>\n<figure id=\"attachment_4553\" aria-describedby=\"caption-attachment-4553\" style=\"width: 888px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4553\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube5-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube5.png?fit=888%2C104&amp;ssl=1\" data-orig-size=\"888,104\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube5\" data-image-description=\"&lt;p&gt;OPA Gatekeeper ConstraintTemplate created&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; OPA Gatekeeper ConstraintTemplate created&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube5.png?fit=888%2C104&amp;ssl=1\" class=\"size-full wp-image-4553 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube5.png?resize=888%2C104&#038;ssl=1\" alt=\"OPA Gatekeeper ConstraintTemplate created\" width=\"888\" height=\"104\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube5.png?w=888&amp;ssl=1 888w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube5.png?resize=300%2C35&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube5.png?resize=768%2C90&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube5.png?resize=600%2C70&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 888px) 100vw, 888px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 888px; --smush-placeholder-aspect-ratio: 888\/104;\" \/><figcaption id=\"caption-attachment-4553\" class=\"wp-caption-text\">Image &#8211; OPA Gatekeeper ConstraintTemplate created<\/figcaption><\/figure>\n<p><code><em>ConstratintTemplate<\/em> <\/code>is created, the next step is to define constraint and apply it to Namespace.<\/p>\n<h3>Define constraints<\/h3>\n<p>The following constraint uses the K8sRequiredLabels constraint template defined in the previous step. The next step is to use constraints to make sure the gatekeeper label is defined on all namespaces.<\/p>\n<p><code>apiVersion: constraints.gatekeeper.sh\/v1beta1<\/code><br \/>\n<code>kind: K8sRequiredLabels<\/code><br \/>\n<code>metadata:<\/code><br \/>\n<code>name: ns-must-have-gk<\/code><br \/>\n<code>spec:<\/code><br \/>\n<code>match:<\/code><br \/>\n<code>kinds:<\/code><br \/>\n<code>- apiGroups: [\"\"]<\/code><br \/>\n<code>kinds: [\"Namespace\"]<\/code><br \/>\n<code>parameters:<\/code><br \/>\n<code>labels: [\"gatekeeper\"]<\/code><\/p>\n<p><code>match<\/code> field, which defines the scope of objects to which a given constraint will be applied.<\/p>\n<ul>\n<li><code>kinds<\/code> accept a list of objects with apiGroups and kinds of fields that list the groups\/kinds of objects to which the constraint will apply.<\/li>\n<li><code>namespaces<\/code> is a list of namespace names. If defined, a constraint will only apply to resources in a listed namespace.<\/li>\n<\/ul>\n<ul>\n<li><code>labelSelector, namespaceSelector<\/code>\u00a0is a standard Kubernetes label and namespace selector.<\/li>\n<\/ul>\n<p>Install above Constraint with the following command<\/p>\n<p><code>kubectl apply -f https:\/\/raw.githubusercontent.com\/open-policy-agent\/gatekeeper\/master\/demo\/basic\/constraints\/all_ns_must_have_gatekeeper.yaml<\/code><\/p>\n<figure id=\"attachment_4554\" aria-describedby=\"caption-attachment-4554\" style=\"width: 889px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4554\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube6-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube6.png?fit=889%2C97&amp;ssl=1\" data-orig-size=\"889,97\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube6\" data-image-description=\"&lt;p&gt;OPA Gatekeeper Constraints created&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; OPA Gatekeeper Constraints created&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube6.png?fit=889%2C97&amp;ssl=1\" class=\"size-full wp-image-4554 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube6.png?resize=889%2C97&#038;ssl=1\" alt=\"OPA Gatekeeper Constraints created\" width=\"889\" height=\"97\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube6.png?w=889&amp;ssl=1 889w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube6.png?resize=300%2C33&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube6.png?resize=768%2C84&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube6.png?resize=600%2C65&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 889px) 100vw, 889px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 889px; --smush-placeholder-aspect-ratio: 889\/97;\" \/><figcaption id=\"caption-attachment-4554\" class=\"wp-caption-text\">Image &#8211; OPA Gatekeeper Constraints created<\/figcaption><\/figure>\n<p>Now that ConstraintTemplate &amp; Constraint is enabled, let\u2019s try out to create new namespace without label.<\/p>\n<figure id=\"attachment_4555\" aria-describedby=\"caption-attachment-4555\" style=\"width: 892px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4555\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube7-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube7.png?fit=892%2C121&amp;ssl=1\" data-orig-size=\"892,121\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube7\" data-image-description=\"&lt;p&gt;OPA Gatekeeper Test Simple Constraint&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; OPA Gatekeeper Test Simple Constraint&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube7.png?fit=892%2C121&amp;ssl=1\" class=\"size-full wp-image-4555 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube7.png?resize=892%2C121&#038;ssl=1\" alt=\"OPA Gatekeeper Test Simple Constraint\" width=\"892\" height=\"121\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube7.png?w=892&amp;ssl=1 892w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube7.png?resize=300%2C41&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube7.png?resize=768%2C104&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube7.png?resize=600%2C81&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 892px) 100vw, 892px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 892px; --smush-placeholder-aspect-ratio: 892\/121;\" \/><figcaption id=\"caption-attachment-4555\" class=\"wp-caption-text\">Image &#8211; OPA Gatekeeper Test Simple Constraint<\/figcaption><\/figure>\n<p>As you can see, OPA Gatekeeper has prevented namespace creation without labels. Next, we can look at the example on how to set container limits policy.<\/p>\n<h1>#2.Implementing Container Limits Constraint\/ConstraintTemplate with OPA Gatekeeper<\/h1>\n<p>In this example, we would be defining a new constraint template and constraint that requires container limits to be specified during the definition of Pod.<\/p>\n<p>We are going to reuse the Kubernetes cluster with Gatekeeper components installed in the previous demo. Our first step is to define the constraint template.<\/p>\n<h3>Define constraint template(s)<\/h3>\n<p><strong>ConstraintTemplate<\/strong> defines what needs to be enforced and the schema of the constraint. Here limits are defined in <code>k8scontainterlimits_template.yaml<\/code>.<\/p>\n<p>Install <code>ConstraintTemplate<\/code> with the following command<\/p>\n<p><code>kubectl apply -f https:\/\/raw.githubusercontent.com\/open-policy-agent\/gatekeeper\/master\/demo\/agilebank\/templates\/k8scontainterlimits_template.yaml<\/code><\/p>\n<figure id=\"attachment_4556\" aria-describedby=\"caption-attachment-4556\" style=\"width: 896px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4556\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube8-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube8.png?fit=896%2C130&amp;ssl=1\" data-orig-size=\"896,130\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube8\" data-image-description=\"&lt;p&gt;OPA Gatekeeper Container Limits Constraint Template Created&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; OPA Gatekeeper Container Limits Constraint Template Created&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube8.png?fit=896%2C130&amp;ssl=1\" class=\"size-full wp-image-4556 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube8.png?resize=896%2C130&#038;ssl=1\" alt=\"OPA Gatekeeper Container Limits Constraint Template Created\" width=\"896\" height=\"130\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube8.png?w=896&amp;ssl=1 896w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube8.png?resize=300%2C44&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube8.png?resize=768%2C111&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube8.png?resize=600%2C87&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 896px) 100vw, 896px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 896px; --smush-placeholder-aspect-ratio: 896\/130;\" \/><figcaption id=\"caption-attachment-4556\" class=\"wp-caption-text\">Image &#8211; OPA Gatekeeper Container Limits Constraint Template Created<\/figcaption><\/figure>\n<h3>Define constraint<\/h3>\n<p>The next step is to define constraints to make sure that CPU and memory should be equal or less than 200m and 1Gi limits.<\/p>\n<p><code>apiVersion: constraints.gatekeeper.sh\/v1beta1<\/code><br \/>\n<code>kind: K8sContainerLimits<\/code><br \/>\n<code>metadata:<\/code><br \/>\n<code>name: container-must-have-limits<\/code><br \/>\n<code>spec:<\/code><br \/>\n<code>match:<\/code><br \/>\n<code>kinds:<\/code><br \/>\n<code>- apiGroups: [\"\"]<\/code><br \/>\n<code>kinds: [\"Pod\"]<\/code><br \/>\n<code>parameters:<\/code><br \/>\n<code>cpu: \"200m\"<\/code><br \/>\n<code>memory: \"1Gi\"<\/code><\/p>\n<figure id=\"attachment_4557\" aria-describedby=\"caption-attachment-4557\" style=\"width: 889px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4557\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube9-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube9.png?fit=889%2C137&amp;ssl=1\" data-orig-size=\"889,137\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube9\" data-image-description=\"&lt;p&gt;OPA Gatekeeper Container Limits Constraint Created&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; OPA Gatekeeper Container Limits Constraint Created&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube9.png?fit=889%2C137&amp;ssl=1\" class=\"size-full wp-image-4557 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube9.png?resize=889%2C137&#038;ssl=1\" alt=\"OPA Gatekeeper Container Limits Constraint Created\" width=\"889\" height=\"137\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube9.png?w=889&amp;ssl=1 889w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube9.png?resize=300%2C46&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube9.png?resize=768%2C118&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube9.png?resize=600%2C92&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 889px) 100vw, 889px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 889px; --smush-placeholder-aspect-ratio: 889\/137;\" \/><figcaption id=\"caption-attachment-4557\" class=\"wp-caption-text\">Image &#8211; OPA Gatekeeper Container Limits Constraint Created<\/figcaption><\/figure>\n<p>Now that we have ConstraintTemplate &amp; Constraint created, let\u2019s try out creating new resources without limits.<\/p>\n<p><code>apiVersion: v1<\/code><br \/>\n<code>kind: Pod<\/code><br \/>\n<code>metadata:<\/code><br \/>\n<code>name: opa<\/code><br \/>\n<code>namespace: production<\/code><br \/>\n<code>labels:<\/code><br \/>\n<code>owner: me.agilebank.demo<\/code><br \/>\n<code>spec:<\/code><br \/>\n<code>containers:<\/code><br \/>\n<code>- name: opa<\/code><br \/>\n<code>image: openpolicyagent\/opa:0.9.2<\/code><br \/>\n<code>args:<\/code><br \/>\n<code>- \"run\"<\/code><br \/>\n<code>- \"--server\"<\/code><br \/>\n<code>- \"--addr=localhost:8080\"<\/code><\/p>\n<p><code>kubectl apply -f https:\/\/raw.githubusercontent.com\/open-policy-agent\/gatekeeper\/master\/demo\/agilebank\/bad_resources\/opa_no_limits.yaml<\/code><\/p>\n<figure id=\"attachment_4558\" aria-describedby=\"caption-attachment-4558\" style=\"width: 890px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"4558\" data-permalink=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/kube10-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube10.png?fit=890%2C136&amp;ssl=1\" data-orig-size=\"890,136\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kube10\" data-image-description=\"&lt;p&gt;OPA Gatekeeper Container Limits Constraint Testing&lt;\/p&gt;\n\" data-image-caption=\"&lt;p&gt;Image &amp;#8211; OPA Gatekeeper Container Limits Constraint Testing&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube10.png?fit=890%2C136&amp;ssl=1\" class=\"size-full wp-image-4558 lazyload\" data-src=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube10.png?resize=890%2C136&#038;ssl=1\" alt=\"OPA Gatekeeper Container Limits Constraint Testing\" width=\"890\" height=\"136\" data-srcset=\"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube10.png?w=890&amp;ssl=1 890w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube10.png?resize=300%2C46&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube10.png?resize=768%2C117&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/11\/kube10.png?resize=600%2C92&amp;ssl=1 600w\" data-sizes=\"auto, (max-width: 890px) 100vw, 890px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 890px; --smush-placeholder-aspect-ratio: 890\/136;\" \/><figcaption id=\"caption-attachment-4558\" class=\"wp-caption-text\">Image &#8211; OPA Gatekeeper Container Limits Constraint Testing<\/figcaption><\/figure>\n<p>As you can see, <code>ConstraintTemplate &amp; Constraint<\/code> restricts the pod creation without limits.<\/p>\n<p><em>Congrats! We have successfully enforced policies with the OPA Gatekeeper Policy engine.<\/em><\/p>\n<p>To uninstall the Gatekeeper policy engine, first clean up old Constraints, ConstraintTemplates, and the Config resource in the gatekeeper-system namespace and then uninstall Gatekeeper. Currently, the uninstall action only removes the Gatekeeper system. This will make sure all finalizers are removed by Gatekeeper. Otherwise, the finalizers will need to be removed manually.<\/p>\n<p><em><strong>Like this post? Don\u2019t forget to share it!<\/strong><\/em><\/p>\n<h2>Useful Resources :<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.openpolicyagent.org\/\" target=\"_blank\" rel=\"noopener\">Open Policy Agent<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\" target=\"_blank\" rel=\"noopener\">Gatekeeper Github<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/open-policy-agent\/gatekeeper\/tree\/master\/demo\" target=\"_blank\" rel=\"noopener\">Gatekeeper Samples<\/a><\/li>\n<li><a href=\"https:\/\/www.upnxtblog.com\/index.php\/2018\/11\/12\/10-best-kubernetes-monitoring-tools\/\">10 BEST Kubernetes monitoring tools<\/a><\/li>\n<li><a href=\"https:\/\/www.upnxtblog.com\/index.php\/2018\/07\/16\/kubernetes-tutorial-distributed-tracing-with-jaeger\/\">Kubernetes Tutorial: Distributed tracing with Jaeger<\/a><\/li>\n<li><a href=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/02\/helm-3-0-0-is-outhere-is-what-has-changed\/\">Helm 3.0.0 is out, here is what has changed!<\/a><\/li>\n<li><a class=\"row-title\" href=\"http:\/\/www.upnxtblog.com\/index.php\/2019\/07\/11\/ultimate-guide-to-coursera-specializations-that-will-make-your-career-better-over-100-specializations-covered\/\" aria-label=\"\u201cULTIMATE GUIDE to Coursera Specializations That Will Make Your Career Better (Over 100+ Specializations covered)\u201d (Edit)\">ULTIMATE GUIDE to Coursera Specializations That Will Make Your Career Better (Over 100+ Specializations covered)<\/a><\/li>\n<li><a class=\"row-title\" href=\"http:\/\/www.upnxtblog.com\/index.php\/2019\/08\/14\/google-cloud-courses-collection\/\" aria-label=\"\u201cGoogle Cloud Courses Collection\u201d (Edit)\">Google Cloud Courses Collection<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>As of this writing, there is NO single security configuration for Kubernetes. For example, to define what a specific user can do, the groups they belong to, the actions they can perform on various Kubernetes resources (pods, deployments, services, etc), the network and pod security policies that apply to the objects they create, etc. cannot [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1031,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[311],"tags":[384,382],"class_list":["post-5536","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kubernetes","tag-opa","tag-policies"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9fbQS-1ri","jetpack-related-posts":[{"id":4547,"url":"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/","url_meta":{"origin":5536,"position":0},"title":"Implementing Policies in Kubernetes","author":"Karthik","date":"December 9, 2019","format":false,"excerpt":"Kubernetes, as we know, coordinates a highly available cluster of computers that are connected to work as a single unit. Kubernetes contains a number of abstractions that allow deployment of containerized applications to the cluster without attaching them to individual machines. In short, Kubernetes is - Portable: public, private, hybrid,\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"kubernetes logo","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":7300,"url":"https:\/\/www.upnxtblog.com\/index.php\/2023\/09\/20\/securing-kubernetes-workloads-with-opa-opa-gatekeeper-in-amazon-eks\/","url_meta":{"origin":5536,"position":1},"title":"Top Kubernetes Security Best Practices: Securing Kubernetes Workloads with OPA &#038; OPA Gatekeeper in Amazon EKS","author":"Karthik","date":"September 20, 2023","format":false,"excerpt":"Introduction As the adoption of container orchestration platforms like Kubernetes increases, so does the need for robust security measures. Open Policy Agent (OPA) and OPA Gatekeeper are powerful tools that help enforce policy-based security and governance in Kubernetes clusters. In this blog post, we will explore what OPA and OPA\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":7416,"url":"https:\/\/www.upnxtblog.com\/index.php\/2023\/09\/27\/enforcing-policies-with-kubewarden-on-amazon-eks\/","url_meta":{"origin":5536,"position":2},"title":"Enforcing policies with Kubewarden on Amazon EKS","author":"Karthik","date":"September 27, 2023","format":false,"excerpt":"According to Red Hat's 2022 State of Kubernetes Security Report, respondents stated that exposures due to misconfigurations in their container and Kubernetes environments (46%) is nearly three times the level of concern over attacks (16%), with vulnerabilities as the second-leading cause of worry (28%). Important settings, such as role-based access\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"kubernetes logo","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":7198,"url":"https:\/\/www.upnxtblog.com\/index.php\/2023\/04\/24\/understanding-the-differences-between-amazon-eks-eks-anywhere-and-eks-distro-which-solution-is-right-for-your-business\/","url_meta":{"origin":5536,"position":3},"title":"Understanding the Differences Between Amazon EKS, EKS Anywhere, and EKS Distro: Which Solution is Right for Your Business?","author":"Karthik","date":"April 24, 2023","format":false,"excerpt":"Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service that makes it easy to deploy, manage, and scale containerized applications. It offers a fully managed Kubernetes control plane and worker nodes, eliminating the need for users to manage the underlying infrastructure. Recently, Amazon has introduced two new Kubernetes offerings\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"kubernetes logo","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":8035,"url":"https:\/\/www.upnxtblog.com\/index.php\/2025\/08\/11\/ensuring-code-quality-in-your-ci-pipeline-with-shellcheck-hadolint-and-conftest-opa\/","url_meta":{"origin":5536,"position":4},"title":"Ensuring Code Quality in Your CI Pipeline with ShellCheck, Hadolint, and Conftest OPA","author":"Karthik","date":"August 11, 2025","format":false,"excerpt":"Introduction In today\u2019s fast-paced DevOps environments, Continuous Integration (CI) pipelines are essential for delivering reliable, secure, and maintainable software. However, without the right checks in place, errors can slip through\u2014causing costly bugs, compliance issues, and even security vulnerabilities. This is where ShellCheck, Hadolint, and Conftest OPA step in. These tools\u2026","rel":"","context":"In &quot;Best Tools\/Open Source Libs&quot;","block_context":{"text":"Best Tools\/Open Source Libs","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/new-tools\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2022\/09\/code.jpg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2022\/09\/code.jpg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2022\/09\/code.jpg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2022\/09\/code.jpg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2022\/09\/code.jpg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":3772,"url":"https:\/\/www.upnxtblog.com\/index.php\/2019\/04\/26\/10-things-you-should-know-about-anthos-google-clouds-new-open-platform\/","url_meta":{"origin":5536,"position":5},"title":"10 things you should know about Anthos, Google Cloud\u2019s new open platform","author":"Karthik","date":"April 26, 2019","format":false,"excerpt":"Recently Google introduced Anthos, Google Cloud\u2019s new open platform that lets you run an app anywhere. In this post, we take look at key points about Google Anthos Framework & how it enables open, hybrid, and multi-cloud future. Google Anthos lets you run your applications, unmodified, on existing on-prem hardware\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"anthos","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/04\/anthos.png?fit=716%2C896&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/04\/anthos.png?fit=716%2C896&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/04\/anthos.png?fit=716%2C896&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2019\/04\/anthos.png?fit=716%2C896&ssl=1&resize=700%2C400 2x"},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts\/5536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=5536"}],"version-history":[{"count":2,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts\/5536\/revisions"}],"predecessor-version":[{"id":5541,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts\/5536\/revisions\/5541"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/media\/1031"}],"wp:attachment":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=5536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=5536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=5536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}