open-policy-agent · lachie83 · Feb 12, 2019 · Feb 9, 2019 · Feb 9, 2019 · Feb 9, 2019
@@ -2,16 +2,16 @@
 FROM golang:1.10.3 as builder
 
 # Copy in the go src
-WORKDIR /go/src/github.com/open-policy-agent/kubernetes-policy-controller
+WORKDIR /go/src/github.com/open-policy-agent/gatekeeper
 COPY pkg/    pkg/
 COPY cmd/    cmd/
 COPY vendor/ vendor/
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager github.com/open-policy-agent/kubernetes-policy-controller/cmd/manager
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager github.com/open-policy-agent/gatekeeper/cmd/manager
 
 # Copy the controller-manager into a thin image
 FROM ubuntu:latest
 WORKDIR /root/
-COPY --from=builder /go/src/github.com/open-policy-agent/kubernetes-policy-controller/manager .
+COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .
 ENTRYPOINT ["./manager"]
@@ -1,6 +1,6 @@
 
 # Image URL to use all building/pushing image targets
-IMG ?= docker.io/nikhilbh/kubernetes-policy-controller:latest
+IMG ?= docker.io/nikhilbh/gatekeeper:latest
 
 all: test manager
 
@@ -10,7 +10,7 @@ test: generate fmt vet manifests
 
 # Build manager binary
 manager: generate fmt vet
-	go build -o bin/manager github.com/open-policy-agent/kubernetes-policy-controller/cmd/manager
+	go build -o bin/manager github.com/open-policy-agent/gatekeeper/cmd/manager
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet

@@ -1,3 +1,3 @@
 version: "1"
 domain: styra.org
-repo: github.com/open-policy-agent/kubernetes-policy-controller
+repo: github.com/open-policy-agent/gatekeeper
@@ -1,10 +1,10 @@
-# kubernetes-policy-controller
+# gatekeeper
 
 Every organization has some rules. Some of these are essential to meet governance, and legal requirements and other are based on learning from past experience and not repeating the same mistakes. These decisions cannot tolerate human response time as they need near a real-time action. Services that are policy enabled to make the organization agile and are essential for long-term success as they are more adaptable as violations and conflicts can be discovered consistently as they are not prone to human error. 
 
-Kubernetes allows decoupling complex logic such as policy decisions from the inner working of the API Server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). This webhooks are executed whenever a resource is created, updated or deleted and can be used to implement complex custom logic. `kubernetes-policy-controller` is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. Kubernetes also has another extension mechanism for general authorization decisions (not necessarily related to resources) which is called [authorization modules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Usually, just the RBAC authorization module is used, but with `kubernetes-policy-controller` it's possible to implement a blacklist in front of RBAC. The `kubernetes-policy-controller` uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)), a policy engine for Cloud Native environments hosted by CNCF as a sandbox-level project.
+Kubernetes allows decoupling complex logic such as policy decisions from the inner working of the API Server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). This webhooks are executed whenever a resource is created, updated or deleted and can be used to implement complex custom logic. `gatekeeper` is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. Kubernetes also has another extension mechanism for general authorization decisions (not necessarily related to resources) which is called [authorization modules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Usually, just the RBAC authorization module is used, but with `gatekeeper` it's possible to implement a blacklist in front of RBAC. `gatekeeper` uses Open Policy Agent ([OPA](https://github.com/open-policy-agent/opa)), a policy engine for Cloud Native environments hosted by CNCF as a sandbox-level project.
 
-Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [kubernetes-policy-controller](https://github.com/Azure/kubernetes-policy-controller) extends the compliance enforcement at “create” event not at “run“ event. For example, a kubernetes service could answer questions like :
+Kubernetes compliance is enforced at the “runtime” via tools such as network policy and pod security policy. [gatekeeper](https://github.com/Azure/gatekeeper) extends the compliance enforcement at “create” event not at “run“ event. For example, a kubernetes service could answer questions like :
 
 * Can we whitelist / blacklist registries.
 * Not allow conflicting hosts for ingresses.
@@ -28,16 +28,16 @@ This is a new project and is in alpha state.
 - Join [weekly meetings](https://docs.google.com/document/d/1A1-Q-1OMw3QODs1wT6eqfLTagcGmgzAJAjJihiO3T48/edit)
   to discuss development, issues, use cases, etc.
 
-- Use [GitHub Issues](https://github.com/open-policy-agent/kubernetes-policy-controller/issues)
+- Use [GitHub Issues](https://github.com/open-policy-agent/gatekeeper/issues)
   to file bugs, request features, or ask questions asynchronously.
 
-## Using kubernetes-policy-controller
+## Using gatekeeper
 
 ## 1. Deployment
 
 Access to a Kubernetes cluster with "cluster-admin" permission is the only prerequisite.
 
-Deploy `kubernetes-policy-controller`:
+Deploy `gatekeeper`:
 
 ```bash
 ./deploy/deploy-all.sh
@@ -61,7 +61,7 @@ There are two scenarios of the policy engine namely Validation and Mutation
 Load the policy as a ConfigMap:
 
 ```bash
-kubectl create configmap example -n kpc-system --from-file ./policy/admission/ingress-host-fqdn.rego
+kubectl create configmap example -n gatekeeper-system --from-file ./policy/admission/ingress-host-fqdn.rego
 ```
 
 ```bash
@@ -81,7 +81,7 @@ This policy will mutate resources that define an annotation with the key `"test-
 Load the policy as a ConfigMap:
 
 ```bash
-kubectl create configmap -n kpc-system example2 --from-file ./policy/admission/annotate.rego
+kubectl create configmap -n gatekeeper-system example2 --from-file ./policy/admission/annotate.rego
 ```
 
 First create a Deployment:
@@ -110,11 +110,11 @@ kubectl get deployment nginx -o json | jq '.metadata'
 
 ### 2.3 `authorization` scenario
 
-`kubernetes-policy-controller` must be deployed in combination with OPA. In this scenario, `kubenetes-policy-controller` cannot be deployed via the usual mechanisms because the APIServer relies on it for every request. Afaik, the only viable scenario is to deploy it via static pod manifest on all master nodes. The following steps are necessary to configure `kubernetes-policy-controller` as authorization module webhook.
+`gatekeeper` must be deployed in combination with OPA. In this scenario, `kubenetes-policy-controller` cannot be deployed via the usual mechanisms because the APIServer relies on it for every request. Afaik, the only viable scenario is to deploy it via static pod manifest on all master nodes. The following steps are necessary to configure `gatekeeper` as authorization module webhook.
 
 1. Add the authorization module to the APIServer via flag, e.g.: `--authorization-mode=Node,Webhook,RBAC`
-1. Configure a webhook config file which is used by the APIServer to call the webhook, e.g.: `--authorization-webhook-config-file=/etc/kubernetes/kubernetes-policy-controller.kubeconfig`. See example file content [here](./deploy/kubernetes-policy-controller.kubeconfig)
-1. Deploy the policy-controller via static pod manifest. Place e.g. the following file in `/etc/kubernetes/manifests/`. See example file content [here](./deploy/kubernetes-policy-controller.yaml). In this case no `kube-mgmt` container is deployed, because this would lead to an circular dependency. In this case the policies are stored in the folder `/etc/kubernetes/policy` on the master node. Alternatively, they could be deployed via shared volume and an `initContainer`.
+1. Configure a webhook config file which is used by the APIServer to call the webhook, e.g.: `--authorization-webhook-config-file=/etc/kubernetes/gatekeeper.kubeconfig`. See example file content [here](./deploy/gatekeeper.kubeconfig)
+1. Deploy the policy-controller via static pod manifest. Place e.g. the following file in `/etc/kubernetes/manifests/`. See example file content [here](./deploy/gatekeeper.yaml). In this case no `kube-mgmt` container is deployed, because this would lead to an circular dependency. In this case the policies are stored in the folder `/etc/kubernetes/policy` on the master node. Alternatively, they could be deployed via shared volume and an `initContainer`.
    1. To avoid dependencies on the Kubernetes API Server use the flag `--authorization-mode=true`
 1. Deploy some of the policies stored under [policy/authorization](./policy/authorization). There are examples for:
    1. Blocking create/update/delete on Calico CRDs
@@ -129,12 +129,12 @@ kubectl get deployment nginx -o json | jq '.metadata'
 
 ### policy language
 
-The `kubernetes-policy-controller` uses OPA as the policy engine. OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries.
+`gatekeeper` uses OPA as the policy engine. OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries.
 Policy rules are created as a rego files. 
 
 ### package admission
 
-`kubernetes-policy-controller` defines a special package name `admission` which is used to logically execute all the `admission` rules.
+`gatekeeper` defines a special package name `admission` which is used to logically execute all the `admission` rules.
 So any `admission` rule defined should be part of this package.
 
 ```go
@@ -160,7 +160,7 @@ deny[{
 
 ### matches[[kind, namespace, name, matched_resource_output]]  
 
-When defining a deny rule, you must find Kubernetes resources that match specific criteria, such as Ingress resources in a particular namespace. `kubernetes-policy-controller` provides the matches functionality by importing `data.kubernetes.matches`.
+When defining a deny rule, you must find Kubernetes resources that match specific criteria, such as Ingress resources in a particular namespace. `gatekeeper` provides the matches functionality by importing `data.kubernetes.matches`.
 
 ```go
 import data.kubernetes.matches
@@ -277,7 +277,7 @@ deny[{
 
 ### package authorization
 
-`kubernetes-policy-controller` defines a special package name `authorization` which is used to logically execute all the `authorization` rules.
+`gatekeeper` defines a special package name `authorization` which is used to logically execute all the `authorization` rules.
 So any `authorization` rule defined should be part of this package.
 
 ```go

@@ -19,10 +19,10 @@ import (
 	"flag"
 	"os"
 
-	"github.com/open-policy-agent/kubernetes-policy-controller/pkg/apis"
-	"github.com/open-policy-agent/kubernetes-policy-controller/pkg/controller"
-	"github.com/open-policy-agent/kubernetes-policy-controller/pkg/standalone"
-	"github.com/open-policy-agent/kubernetes-policy-controller/pkg/webhook"
+	"github.com/open-policy-agent/gatekeeper/pkg/apis"
+	"github.com/open-policy-agent/gatekeeper/pkg/controller"
+	"github.com/open-policy-agent/gatekeeper/pkg/standalone"
+	"github.com/open-policy-agent/gatekeeper/pkg/webhook"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/manager"

@@ -1,12 +1,12 @@
 # Adds namespace to all resources.
-namespace: kpc-system
+namespace: gatekeeper-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: kpc-
+namePrefix: gatekeeper-
 
 # Labels to add to all resources and selectors.
 #commonLabels:

@@ -8,5 +8,5 @@ spec:
     spec:
       containers:
       # Change the value of image field below to your controller image URL
-      - image: docker.io/nikhilbh/kubernetes-policy-controller:latest
+      - image: docker.io/nikhilbh/gatekeeper:latest
         name: manager
@@ -84,7 +84,7 @@ spec:
           - "--replicate-cluster=v1/namespaces"
           - "--replicate=extensions/v1beta1/ingresses"
           - "--replicate=v1/pods"
-          - "--policies=kpc-system"
+          - "--policies=gatekeeper-system"
       terminationGracePeriodSeconds: 10
       volumes:
       - name: cert

@@ -1,4 +1,4 @@
 #!/bin/bash
 
-controllerpod=$(kubectl -n kpc-system get po --no-headers | awk '{print $1}')
-kubectl -n kpc-system port-forward $controllerpod 7925:7925
+controllerpod=$(kubectl -n gatekeeper-system get po --no-headers | awk '{print $1}')
+kubectl -n gatekeeper-system port-forward $controllerpod 7925:7925
@@ -3,9 +3,9 @@
 cd "${0%/*}"
 
 set -e
-echo "Create kpc-system namespace"
+echo "Create gatekeeper-system namespace"
 
 read -p "Press enter to continue"
 
 # create opa namespace
-kubectl create ns kpc-system
+kubectl create ns gatekeeper-system
@@ -7,4 +7,4 @@ read -p "Press enter to continue"
 rm -rf ./secret
 
 ./delete-webhook.sh
-kubectl delete ns kpc-system
+kubectl delete ns gatekeeper-system
@@ -3,8 +3,8 @@
 cd "${0%/*}"
 
 #set -e
-echo "Delete Kubernetes-policy-controller webhook config"
+echo "Delete gatekeeper webhook config"
 
 read -p "Press enter to continue"
 
-kubectl delete mutatingwebhookconfiguration kpc
+kubectl delete mutatingwebhookconfiguration gatekeeper
@@ -8,6 +8,6 @@ echo "Deploy Admission policies"
 read -p "Press enter to continue"
 
 # deploy admission policies
-kubectl -n kpc-system create configmap ingress-conflict --from-file=../policy/admission/ingress-conflict.rego
-kubectl -n kpc-system create configmap ingress-host-fqdn --from-file=../policy/admission/ingress-host-fqdn.rego
-kubectl -n kpc-system create configmap annotate --from-file=../policy/admission/annotate.rego
+kubectl -n gatekeeper-system create configmap ingress-conflict --from-file=../policy/admission/ingress-conflict.rego
+kubectl -n gatekeeper-system create configmap ingress-host-fqdn --from-file=../policy/admission/ingress-host-fqdn.rego
+kubectl -n gatekeeper-system create configmap annotate --from-file=../policy/admission/annotate.rego
@@ -7,10 +7,10 @@ echo "Deploy OPA and kube-mgmt"
 read -p "Press enter to continue"
 
 # create opa namespace
-kubectl create ns kpc-system
+kubectl create ns gatekeeper-system
 
-# deploy kubernetes-policy-controller 
-kubectl apply -n kpc-system -f ./deploy/kpc.yaml
+# deploy gatekeeper 
+kubectl apply -n gatekeeper-system -f ./deploy/gatekeeper.yaml
 
 # deploy kubernetes policies
-kubectl -n kpc-system create configmap kubernetes-matches --from-file=./policy/kubernetes/matches.rego
+kubectl -n gatekeeper-system create configmap kubernetes-matches --from-file=./policy/kubernetes/matches.rego
@@ -9,4 +9,4 @@ echo "Deploy OPA and kube-mgmt"
 read -p "Press enter to continue"
 
 # deploy opa 
-kubectl apply -n kpc-system -f ./kpc.yaml
+kubectl apply -n gatekeeper-system -f ./gatekeeper.yaml
@@ -7,5 +7,5 @@ echo "Deploy Kubernetes policies"
 read -p "Press enter to continue"
 
 # deploy kubernetes policies
-kubectl -n kpc-system create configmap kubernetes-matches --from-file=../policy/kubernetes/matches.rego
-kubectl -n kpc-system create configmap kubernetes-policymatches --from-file=../policy/kubernetes/policymatches.rego
+kubectl -n gatekeeper-system create configmap kubernetes-matches --from-file=../policy/kubernetes/matches.rego
+kubectl -n gatekeeper-system create configmap kubernetes-policymatches --from-file=../policy/kubernetes/policymatches.rego
@@ -17,7 +17,7 @@ subjects:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: kpc-cluster-role
+  name: gatekeeper-cluster-role
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
   resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
@@ -30,22 +30,22 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: kpc-cluster-role
+  name: gatekeeper-cluster-role
 roleRef:
   kind: ClusterRole
-  name: kpc-cluster-role
+  name: gatekeeper-cluster-role
   apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: kpc-system
+  namespace: gatekeeper-system
 ---
 # Define role for OPA/kube-mgmt to update configmaps and manage services and secrets
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  namespace: kpc-system
-  name: kpc-namespace-role
+  namespace: gatekeeper-system
+  name: gatekeeper-namespace-role
 rules:
 - apiGroups: [""]
   resources: ["configmaps"]
@@ -58,25 +58,25 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  namespace: kpc-system
-  name: kpc-namespace-role
+  namespace: gatekeeper-system
+  name: gatekeeper-namespace-role
 roleRef:
   kind: Role
-  name: kpc-namespace-role
+  name: gatekeeper-namespace-role
   apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: kpc-system
+  namespace: gatekeeper-system
 ---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     control-plane: controller-manager
     controller-tools.k8s.io: "1.0"
-  name: kpc-controller-manager-service
-  namespace: kpc-system
+  name: gatekeeper-controller-manager-service
+  namespace: gatekeeper-system
 spec:
   selector:
     control-plane: controller-manager
@@ -90,14 +90,14 @@ metadata:
   labels:
     control-plane: controller-manager
     controller-tools.k8s.io: "1.0"
-  name: kpc-controller-manager
-  namespace: kpc-system
+  name: gatekeeper-controller-manager
+  namespace: gatekeeper-system
 spec:
   selector:
     matchLabels:
       control-plane: controller-manager
       controller-tools.k8s.io: "1.0"
-  serviceName: kpc-controller-manager-service
+  serviceName: gatekeeper-controller-manager-service
   template:
     metadata:
       labels:
@@ -117,8 +117,8 @@ spec:
               apiVersion: v1
               fieldPath: metadata.namespace
         - name: SECRET_NAME
-          value: kpc-webhook-server-secret
-        image: docker.io/nikhilbh/kubernetes-policy-controller:latest
+          value: gatekeeper-webhook-server-secret
+        image: docker.io/nikhilbh/gatekeeper:latest
         imagePullPolicy: Always
         ports:
         - containerPort: 9876
@@ -148,7 +148,7 @@ spec:
           - --replicate-cluster=v1/namespaces
           - --replicate=extensions/v1beta1/ingresses
           - --replicate=v1/pods
-          - --policies=kpc-system
+          - --policies=gatekeeper-system
         image: openpolicyagent/kube-mgmt:0.6
         imagePullPolicy: Always
         resources: {}
@@ -157,10 +157,10 @@ spec:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: kpc-webhook-server-secret
+          secretName: gatekeeper-webhook-server-secret
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: kpc-webhook-server-secret
-  namespace: kpc-system
+  name: gatekeeper-webhook-server-secret
+  namespace: gatekeeper-system