Skip to content

Latest commit

 

History

History

opa-gatekeeper

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Readme.md
Readme.md
 
 
deployment.yaml
deployment.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
model.go
model.go
 
 
opa-policy.yaml
opa-policy.yaml
 
 
opa-template.yaml
opa-template.yaml
 
 

Readme.md

Shifting policy management left with OPA Gatekeeper

Consider giving this repo a ✨! Thanks!!!

Acknowledgements

Special thanks to @khannaabhi for contributing this guide.

Resources

This app uses the following tools:

Prerequisites

  • A running K8s cluster
  • Install OPA Gatekeeper by running the following commands
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.8/deploy/gatekeeper.yaml

How to test the tool in a K8s cluster

  • Install the Gatekeeper's constraint-template and constraint by running the following command
kubectl apply -f opa-template.yaml
kubectl apply -f opa-policy.yaml
  • Create a deployment resource which violates the policy.
kubectl apply -f deployment.yaml
  • The creation of deployment resource was rejected by OPA Gatekeeper as it violates the policy.
  • The violation can be solved by changing the image tag from latest to a proper tag (eg. 1.23.0)

Validate the OPA policy at CI layer

OPA Gatekeeper is only meant to work on the CD layer by design. However we can extend it to run on the CI layer by writing some go code using the OPA library.

To test the above functionality build & execute the go script:

go build . && ./opa-gatekeeper
  • The scripts outputs the policy violations.