Skip to content
Gatekeeper - Policy Controller for Kubernetes
Branch: master
Clone or download
ritazh and rite2nikhil fix(deploy):#72 fixes gatekeeper service selector (#73)
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Latest commit ccd2a7a Mar 15, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
build
cmd/manager Rename to gatekeeper (#52) Feb 12, 2019
config Rename to gatekeeper (#52) Feb 12, 2019
demo Rename to gatekeeper (#52) Feb 12, 2019
deploy rename files to gatekeeper (#59) Mar 4, 2019
docs Rename to gatekeeper (#52) Feb 12, 2019
hack Migrate to using kubebuilder. (#41) Feb 1, 2019
pkg fix(deploy):#72 fixes gatekeeper service selector (#73) Mar 15, 2019
policy registry whitelisting example (#34) Jan 2, 2019
version
.gitignore
.travis.yml
CODE_OF_CONDUCT.md
Dockerfile Rename to gatekeeper (#52) Feb 12, 2019
Dockerfile_ci
Gopkg.lock
Gopkg.toml Migrate to using kubebuilder. (#41) Feb 1, 2019
LICENSE Updating the LICENSE to Apache v2 (#33) Jan 8, 2019
Makefile
PROJECT
README.md CI enhancements Mar 12, 2019
README_old.md

README.md

gatekeeper

Build Status Docker Repository on Quay

Warning: Restructing underway

This is a new project that is undergoing heavy restructuring. The policy format, architecture, interfaces, and code layout are all subject to change.

If you need OPA-style admission control right now, we recommend using the OPA Kubernetes Admission Control tutorial. The policies you see there will closely resemble the ones Gatekeeper will support once restructuring is complete.

Want to help?

Join us to help define the direction and implementation of this project!

Goals

Every organization has some rules. Some of these are essential to meet governance, and legal requirements and other are based on learning from past experience and not repeating the same mistakes. These decisions cannot tolerate human response time as they need near a real-time action. Services that are policy enabled to make the organization agile and are essential for long-term success as they are more adaptable as violations and conflicts can be discovered consistently as they are not prone to human error.

Kubernetes allows decoupling complex logic such as policy decisions from the inner working of the API Server by means of admission controller webhooks. This webhooks are executed whenever a resource is created, updated or deleted and can be used to implement complex custom logic. gatekeeper is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. Kubernetes also has another extension mechanism for general authorization decisions (not necessarily related to resources) which is called authorization modules. Usually, just the RBAC authorization module is used, but with gatekeeper it's possible to implement a blacklist in front of RBAC. gatekeeper uses Open Policy Agent (OPA), a policy engine for Cloud Native environments hosted by CNCF as a sandbox-level project.

Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. gatekeeper extends the compliance enforcement at “create” event not at “run“ event. For example, a kubernetes service could answer questions like :

  • Can we whitelist / blacklist registries.
  • Not allow conflicting hosts for ingresses.
  • Label objects based on a user from a department.

In addition to the admission scenario it helps answer the audit question such as:

  • What are the policies that my cluster is violating.

In the authorization scenario it's possible to block things like kubectl get, kubectl port-forward or even non-resource requests (all authorized request can be blocked).

You can’t perform that action at this time.